Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Project 1 [CLOSED]


  • This topic is locked This topic is locked

#1
BILLYwubba

BILLYwubba

    New Member

  • Member
  • Pip
  • 8 posts
Lately when I turn on my computer, it has been very slow(im running on 512mb ram). After opening the task manager I noticed a program, "Project 1", that I've never heard of. After ending the task, i ran Norton Internet Security 2006, and it didn'tdetect it.

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:24 PM, on 11/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\aim\aim.exe
C:\Program Files\America Online 9.0\waol.exe
c:\program files\common files\aol\1130397530\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: AdCom - {D7950AB4-67F5-458e-A37D-9F2DE7F250AC} - C:\WINDOWS\System32\AdCom.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\System32\testit.exe
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\System32\mmxp2passion.exe
O4 - HKLM\..\Run: [cashfortool.exe] C:\WINDOWS\System32\cashfortool.exe
O4 - HKLM\..\Run: [adcomplusanalytic.exe] C:\WINDOWS\System32\adcomplusanalytic.exe
O4 - HKLM\..\Run: [cashplusmedia1.exe] C:\WINDOWS\System32\cashplusmedia1.exe
O4 - HKLM\..\Run: [mc-58-12-] C:\WINDOWS\System32\mc-58-12-
O4 - HKLM\..\Run: [Yunguyo.exe] C:\WINDOWS\System32\Yunguyo.exe
O4 - HKLM\..\Run: [w32S3qX] verrm.exe
O4 - HKLM\..\Run: [totiwuw] c:\windows\system32\drzvmo.exe r
O4 - HKLM\..\Run: [ToolbarInstall] C:\WINDOWS\876029.exe
O4 - HKLM\..\Run: [F ma] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130397530\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [uSot] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ykocrq.exe reg_run
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\Run: [System service69] C:\WINDOWS\etb\pokapoka69.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [h0t2Rkb3V] vb6monui.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Kqultxe] C:\WINDOWS\System32\??anregw.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132897353578
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=3160
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks in advance for your help
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Billywubba and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.


Your system is heavily infected. This cleanup make require a few posts.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


STEP 1:

1. We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>System Startup Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste SvcProc in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINDOWS\svcproc.exe

7. REBOOT back into Normal Mode

======================================

Step 2:

Please download LQfix.exe and save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will now reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
=======================================

Step 3:

1. I want you to download and run a free trial version of an anti-trojan program called: Trojan Hunter . Let it scan your whole system and remove anything it finds.

REBOOT your system.

2. Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
REBOOT your System.


3. Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log as well as the log from SpySweeper you saved by using Add Reply
Regards,

Trevuren

  • 0

#3
BILLYwubba

BILLYwubba

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you for the help, Trevuren! Since doing what you recomended, I've noticed a difference in the speed of my system.

Here are the logs you asked for:

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 9:58:25 PM, on 11/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\common files\aol\1130397530\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\hijack this\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [cashfortool.exe] C:\WINDOWS\System32\cashfortool.exe
O4 - HKLM\..\Run: [Yunguyo.exe] C:\WINDOWS\System32\Yunguyo.exe
O4 - HKLM\..\Run: [w32S3qX] verrm.exe
O4 - HKLM\..\Run: [totiwuw] c:\windows\system32\drzvmo.exe r
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130397530\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [System service69] C:\WINDOWS\\etb\pokapoka69.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ykocrq.exe reg_run
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [h0t2Rkb3V] vb6monui.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Kqultxe] C:\WINDOWS\System32\??anregw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132897353578
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Spy Sweeper:

********
8:12 PM: | Start of Session, Friday, November 25, 2005 |
8:12 PM: Spy Sweeper started
8:12 PM: Sweep initiated using definitions version 556
8:12 PM: Starting Memory Sweep
8:12 PM: Found Adware: adcom
8:12 PM: Detected running threat: C:\WINDOWS\System32\AdCom.dll (ID = 161617)
8:12 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:12 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:12 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:12 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:12 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:12 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:12 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:12 PM: The Spy Communication shield has blocked access to: dl.web-nexus.net
8:12 PM: Found Adware: clkoptimizer
8:12 PM: Detected running threat: C:\WINDOWS\system32\wuauclt.dll (ID = 150833)
8:13 PM: Found Adware: elitebar
8:13 PM: Detected running threat: C:\WINDOWS\etb\pokapoka69.exe (ID = 154478)
8:13 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || System service69 (ID = 0)
8:15 PM: Memory Sweep Complete, Elapsed Time: 00:03:02
8:15 PM: Starting Registry Sweep
8:15 PM: Found Adware: brilliant digital
8:15 PM: HKCR\appid\installman.exe\ (1 subtraces) (ID = 103451)
8:15 PM: Found Adware: altnet
8:15 PM: HKCR\appid\installman.exe\ (1 subtraces) (ID = 103451)
8:15 PM: HKCR\appid\{7dab5f7a-8c49-4538-a1c2-78d81fdf3f9b}\ (1 subtraces) (ID = 103452)
8:15 PM: HKCR\appid\{7dab5f7a-8c49-4538-a1c2-78d81fdf3f9b}\ (1 subtraces) (ID = 103452)
8:15 PM: HKCR\bdeinstallman3.bdeinstallman3\ (5 subtraces) (ID = 103455)
8:15 PM: HKCR\bdeinstallman3.bdeinstallman3\ (5 subtraces) (ID = 103455)
8:15 PM: HKCR\bdesmartinstaller25.bdesmartinstaller25\ (3 subtraces) (ID = 103457)
8:15 PM: HKCR\bdesmartinstaller25.bdesmartinstaller25\ (3 subtraces) (ID = 103457)
8:15 PM: HKCR\clsid\{3eec42b5-fb94-40d3-a588-bb54b383a7cb}\ (12 subtraces) (ID = 103459)
8:15 PM: HKCR\clsid\{3eec42b5-fb94-40d3-a588-bb54b383a7cb}\ (12 subtraces) (ID = 103459)
8:15 PM: HKCR\clsid\{8721f16d-cbf8-4ce5-b924-18d64e12e77e}\ (24 subtraces) (ID = 103463)
8:15 PM: HKCR\clsid\{8721f16d-cbf8-4ce5-b924-18d64e12e77e}\ (24 subtraces) (ID = 103463)
8:15 PM: HKCR\interface\{817b054a-de21-44e2-b2d5-b7bdd3f26a42}\ (8 subtraces) (ID = 103470)
8:15 PM: HKCR\interface\{817b054a-de21-44e2-b2d5-b7bdd3f26a42}\ (8 subtraces) (ID = 103470)
8:15 PM: HKCR\interface\{67925164-c4b6-11d2-b9c6-0000e84f59a6}\ (8 subtraces) (ID = 103471)
8:15 PM: HKCR\interface\{67925164-c4b6-11d2-b9c6-0000e84f59a6}\ (8 subtraces) (ID = 103471)
8:15 PM: HKCR\interface\{baf2d92f-b610-4ba1-86d0-464d26ddca69}\ (8 subtraces) (ID = 103473)
8:15 PM: HKCR\interface\{baf2d92f-b610-4ba1-86d0-464d26ddca69}\ (8 subtraces) (ID = 103473)
8:15 PM: HKCR\interface\{f2ac7a7b-dffe-4036-8561-54c88efe544a}\ (8 subtraces) (ID = 103475)
8:15 PM: HKCR\interface\{f2ac7a7b-dffe-4036-8561-54c88efe544a}\ (8 subtraces) (ID = 103475)
8:15 PM: HKLM\software\classes\typelib\{5fbf618a-82cc-4e96-bc3d-c91c48e94b3e}\ (9 subtraces) (ID = 103498)
8:15 PM: HKLM\software\classes\typelib\{74cda0ec-917b-4330-9702-6d4796d2d5ef}\ (9 subtraces) (ID = 103501)
8:15 PM: HKCR\typelib\{5fbf618a-82cc-4e96-bc3d-c91c48e94b3e}\ (9 subtraces) (ID = 103532)
8:15 PM: HKCR\typelib\{5fbf618a-82cc-4e96-bc3d-c91c48e94b3e}\ (9 subtraces) (ID = 103532)
8:15 PM: HKCR\typelib\{74cda0ec-917b-4330-9702-6d4796d2d5ef}\ (9 subtraces) (ID = 103533)
8:15 PM: HKCR\typelib\{74cda0ec-917b-4330-9702-6d4796d2d5ef}\ (9 subtraces) (ID = 103533)
8:15 PM: HKCR\typelib\{82fc7881-aacc-11d2-b9c6-0000e842e40a}\ (9 subtraces) (ID = 103534)
8:15 PM: HKCR\typelib\{82fc7881-aacc-11d2-b9c6-0000e842e40a}\ (9 subtraces) (ID = 103534)
8:15 PM: Found Adware: apropos
8:15 PM: HKLM\software\aprps\ (ID = 103741)
8:15 PM: Found Adware: begin2search
8:15 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
8:15 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
8:15 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
8:15 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
8:15 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
8:15 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
8:15 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
8:15 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
8:15 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
8:15 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
8:15 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
8:15 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
8:15 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
8:15 PM: Found Adware: hotsearchbar toolbar
8:15 PM: HKLM\software\classes\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104195)
8:15 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
8:15 PM: HKCR\typelib\{bf56be6a-0aea-45f3-8b10-7312876584a8}\ (9 subtraces) (ID = 104238)
8:15 PM: Found Adware: bookedspace
8:15 PM: HKLM\software\configuration manager\cfgmgr52\ (176 subtraces) (ID = 104873)
8:15 PM: HKCR\.b3dini\ (1 subtraces) (ID = 104923)
8:15 PM: HKCR\.s3d\ (1 subtraces) (ID = 104924)
8:15 PM: HKCR\b3d_auto_file\ (8 subtraces) (ID = 104925)
8:15 PM: HKCR\b3d_auto_file\ (8 subtraces) (ID = 104926)
8:15 PM: HKCR\b3dini_auto_file\ (8 subtraces) (ID = 104927)
8:15 PM: HKCR\b3dini_auto_file\ (8 subtraces) (ID = 104928)
8:15 PM: HKCR\bdeinstallman3.bdeinstallman3.1\ (3 subtraces) (ID = 104932)
8:15 PM: HKCR\bdeplayer.bdeplayerctrl.1\ (3 subtraces) (ID = 104933)
8:15 PM: HKCR\bdeplayer.bdeplayerctrl\ (5 subtraces) (ID = 104934)
8:15 PM: HKCR\bdeplayer.bdeplayerctrl\ (5 subtraces) (ID = 104935)
8:15 PM: HKCR\bdesmartinstaller25.bdesmartinstaller25.1\ (3 subtraces) (ID = 104938)
8:15 PM: HKCR\bdesmartinstaller3.bdesmartinstaller3.1\ (3 subtraces) (ID = 104939)
8:15 PM: HKCR\bdesmartinstaller3.bdesmartinstaller3\ (3 subtraces) (ID = 104940)
8:15 PM: HKCR\clsid\{51958169-d5e3-11d1-aa42-0000e842e40a}\ (24 subtraces) (ID = 104943)
8:15 PM: HKCR\clsid\{51958169-d5e3-11d1-aa42-0000e842e40a}\versionindependentprogid\ (1 subtraces) (ID = 104944)
8:15 PM: HKCR\clsid\{51958169-d5e3-11d1-aa42-0000e842e40a}\ (24 subtraces) (ID = 104945)
8:15 PM: HKCR\clsid\{5aaa506a-ceb1-441a-9f05-43fae6b8a495}\ (12 subtraces) (ID = 104946)
8:15 PM: HKCR\interface\{51958167-d5e3-11d1-aa42-0000e842e40a}\ (8 subtraces) (ID = 104949)
8:15 PM: HKCR\interface\{51958168-d5e3-11d1-aa42-0000e842e40a}\ (8 subtraces) (ID = 104950)
8:15 PM: HKCR\s3d_auto_file\ (8 subtraces) (ID = 104953)
8:15 PM: HKLM\software\classes\.s3d\ (1 subtraces) (ID = 104956)
8:15 PM: HKLM\software\classes\b3d_auto_file\ (8 subtraces) (ID = 104957)
8:15 PM: HKLM\software\classes\b3dini_auto_file\ (8 subtraces) (ID = 104958)
8:15 PM: HKLM\software\classes\bdeplayer.bdeplayerctrl\ (5 subtraces) (ID = 104959)
8:15 PM: HKLM\software\classes\bdesmartinstaller25.bdesmartinstaller25\ (3 subtraces) (ID = 104962)
8:15 PM: HKLM\software\classes\clsid\{3eec42b5-fb94-40d3-a588-bb54b383a7cb}\ (12 subtraces) (ID = 104963)
8:15 PM: HKLM\software\classes\clsid\{51958169-d5e3-11d1-aa42-0000e842e40a}\ (24 subtraces) (ID = 104964)
8:15 PM: HKLM\software\classes\interface\{51958167-d5e3-11d1-aa42-0000e842e40a}\ (8 subtraces) (ID = 104966)
8:15 PM: HKLM\software\classes\interface\{67925164-c4b6-11d2-b9c6-0000e84f59a6}\ (8 subtraces) (ID = 104967)
8:15 PM: HKLM\software\classes\s3d_auto_file\ (8 subtraces) (ID = 104970)
8:15 PM: HKLM\software\classes\typelib\{51958166-d5e3-11d1-aa42-0000e842e40a}\ (9 subtraces) (ID = 104971)
8:15 PM: HKLM\software\classes\typelib\{82fc7881-aacc-11d2-b9c6-0000e842e40a}\ (9 subtraces) (ID = 104972)
8:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bdeplayer\ (2 subtraces) (ID = 104974)
8:15 PM: HKCR\typelib\{51958166-d5e3-11d1-aa42-0000e842e40a}\ (9 subtraces) (ID = 104975)
8:15 PM: Found Adware: cas
8:15 PM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (ID = 105366)
8:15 PM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (ID = 105369)
8:15 PM: HKCR\clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (6 subtraces) (ID = 105953)
8:15 PM: HKCR\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106021)
8:15 PM: HKLM\software\classes\clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (6 subtraces) (ID = 106049)
8:15 PM: HKLM\software\classes\folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}\ (1 subtraces) (ID = 106116)
8:15 PM: Found Adware: delfin
8:15 PM: HKLM\software\delfin\ (4 subtraces) (ID = 124849)
8:15 PM: HKLM\software\delfin\promulgate\ (3 subtraces) (ID = 124850)
8:15 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\delfin media viewer\ (2 subtraces) (ID = 124859)
8:15 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
8:15 PM: Found Adware: ieplugin
8:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\wupdt.exe (ID = 128196)
8:15 PM: Found Adware: drsnsrch.com hijack
8:15 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 128208)
8:15 PM: Found Adware: mirar webband
8:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || toolbarinstall (ID = 135113)
8:15 PM: HKLM\software\relatedpageinstall\ (1 subtraces) (ID = 135120)
8:15 PM: Found Adware: networkessentials
8:15 PM: HKCR\interface\{4438a5dc-e00b-41a0-b0e6-b63fd3b86eee}\ (8 subtraces) (ID = 136074)
8:15 PM: HKCR\mp.mediapops.1\ (3 subtraces) (ID = 136079)
8:15 PM: HKCR\mp.mediapops\ (5 subtraces) (ID = 136080)
8:15 PM: HKLM\software\classes\interface\{4438a5dc-e00b-41a0-b0e6-b63fd3b86eee}\ (8 subtraces) (ID = 136147)
8:15 PM: HKLM\software\classes\mp.mediapops\ (5 subtraces) (ID = 136152)
8:15 PM: HKLM\software\classes\typelib\{4767c447-ef15-42f2-8809-68adb7fa76f1}\ (9 subtraces) (ID = 136154)
8:15 PM: HKCR\typelib\{4767c447-ef15-42f2-8809-68adb7fa76f1}\ (9 subtraces) (ID = 136181)
8:15 PM: Found Trojan Horse: trojan-downloader-pacisoft
8:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || psof1 (ID = 136526)
8:15 PM: Found Adware: purityscan
8:15 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
8:15 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
8:15 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
8:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
8:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
8:15 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
8:15 PM: HKLM\software\microsoft\code store database\distribution units\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (14 subtraces) (ID = 137704)
8:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
8:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
8:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\mediatickets\ (12 subtraces) (ID = 139080)
8:15 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
8:15 PM: Found Adware: media-motor
8:15 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
8:15 PM: Found Trojan Horse: topconverting downloader
8:15 PM: HKCR\interface\{4fe82ba0-9335-4d4e-8e98-76409a88f2c1}\ (8 subtraces) (ID = 143794)
8:15 PM: HKCR\interface\{ace5b10b-92a3-4103-8583-3684bb09409f}\ (8 subtraces) (ID = 143795)
8:15 PM: HKLM\software\classes\interface\{4fe82ba0-9335-4d4e-8e98-76409a88f2c1}\ (8 subtraces) (ID = 143801)
8:15 PM: HKLM\software\classes\interface\{ace5b10b-92a3-4103-8583-3684bb09409f}\ (8 subtraces) (ID = 143802)
8:15 PM: HKLM\software\classes\typelib\{487e7682-b976-41fb-a944-e8b83689a454}\ (9 subtraces) (ID = 143806)
8:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/website.ocx\ (2 subtraces) (ID = 143817)
8:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\website.ocx (ID = 143831)
8:15 PM: HKCR\typelib\{487e7682-b976-41fb-a944-e8b83689a454}\ (9 subtraces) (ID = 143836)
8:15 PM: Found Trojan Horse: trojan-downloader-topinstalls
8:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || wintask driver (ID = 144815)
8:15 PM: Found Adware: weirdontheweb
8:15 PM: HKLM\software\weirdontheweb\ (18 subtraces) (ID = 146595)
8:15 PM: HKLM\software\weirdontheweb\ || guid (ID = 146596)
8:15 PM: HKLM\software\weirdontheweb\ || installtime (ID = 146597)
8:15 PM: HKLM\software\weirdontheweb\ || provider (ID = 146598)
8:15 PM: HKLM\software\weirdontheweb\config\ (11 subtraces) (ID = 146599)
8:15 PM: HKLM\software\weirdontheweb\update\ (2 subtraces) (ID = 146600)
8:15 PM: Found Adware: rich editor
8:15 PM: HKLM\software\riched\ (19 subtraces) (ID = 373158)
8:15 PM: Found Adware: drsnsrch hijacker
8:15 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
8:15 PM: HKCR\dsrch.bottomframe\ (5 subtraces) (ID = 509135)
8:15 PM: HKCR\dsrch.leftframe\ (5 subtraces) (ID = 509136)
8:15 PM: HKCR\dsrch.popupbrowser\ (5 subtraces) (ID = 509137)
8:15 PM: HKCR\dsrch.popupwindow\ (5 subtraces) (ID = 509138)
8:15 PM: HKCR\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509139)
8:15 PM: HKCR\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509140)
8:15 PM: HKCR\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509141)
8:15 PM: HKCR\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509142)
8:15 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
8:15 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
8:15 PM: HKLM\software\classes\dsrch.leftframe\ (5 subtraces) (ID = 509179)
8:15 PM: HKLM\software\classes\dsrch.popupbrowser\ (5 subtraces) (ID = 509185)
8:15 PM: HKLM\software\classes\dsrch.popupwindow\ (5 subtraces) (ID = 509191)
8:15 PM: HKLM\software\classes\clsid\{8b51fc2f-c687-40a3-b54a-bb9ebf8d407f}\ (11 subtraces) (ID = 509198)
8:15 PM: HKLM\software\classes\clsid\{ce27d4df-714b-4427-95eb-923fe53adf8e}\ (13 subtraces) (ID = 509210)
8:15 PM: HKLM\software\classes\clsid\{e2d2fe40-5674-4b77-802b-ec86b6c2c41d}\ (13 subtraces) (ID = 509224)
8:15 PM: HKLM\software\classes\clsid\{e311d3a5-4a3b-4e49-9e0a-b40fae1f0b28}\ (11 subtraces) (ID = 509238)
8:15 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
8:15 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
8:15 PM: HKCR\dsrch.bottomframe\clsid\ (1 subtraces) (ID = 509363)
8:15 PM: HKCR\dsrch.bottomframe\curver\ (1 subtraces) (ID = 509364)
8:15 PM: HKCR\dsrch.leftframe\clsid\ (1 subtraces) (ID = 509365)
8:15 PM: HKCR\dsrch.leftframe\curver\ (1 subtraces) (ID = 509366)
8:15 PM: HKCR\dsrch.popupbrowser\clsid\ (1 subtraces) (ID = 509367)
8:15 PM: HKCR\dsrch.popupbrowser\curver\ (1 subtraces) (ID = 509368)
8:15 PM: HKCR\dsrch.popupwindow\clsid\ (1 subtraces) (ID = 509369)
8:15 PM: HKCR\dsrch.popupwindow\curver\ (1 subtraces) (ID = 509370)
8:15 PM: HKCR\dsrch.band.1\ (3 subtraces) (ID = 512692)
8:15 PM: HKCR\dsrch.bottomframe.1\ (3 subtraces) (ID = 512699)
8:15 PM: HKCR\dsrch.leftframe.1\ (3 subtraces) (ID = 512706)
8:15 PM: HKCR\dsrch.popupbrowser.1\ (3 subtraces) (ID = 512713)
8:15 PM: HKCR\dsrch.popupwindow.1\ (3 subtraces) (ID = 512720)
8:15 PM: HKCR\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 512747)
8:15 PM: HKLM\software\classes\dsrch.band.1\ (3 subtraces) (ID = 513072)
8:15 PM: HKLM\software\classes\dsrch.bottomframe.1\ (3 subtraces) (ID = 513076)
8:15 PM: HKLM\software\classes\dsrch.leftframe.1\ (3 subtraces) (ID = 513080)
8:15 PM: HKLM\software\classes\dsrch.popupbrowser.1\ (3 subtraces) (ID = 513084)
8:15 PM: HKLM\software\classes\dsrch.popupwindow.1\ (3 subtraces) (ID = 513088)
8:15 PM: HKLM\software\classes\clsid\{00f1d395-4744-40f0-a611-980f61ae2c59}\ (11 subtraces) (ID = 513114)
8:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || winsync (ID = 601545)
8:15 PM: HKLM\software\classes\dsrch.bottomframe\ (5 subtraces) (ID = 646382)
8:15 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
8:15 PM: Found Adware: abetterinternet
8:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\bsto-1\ (7 subtraces) (ID = 746835)
8:15 PM: Found Adware: winad
8:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (1 subtraces) (ID = 763026)
8:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediagatewayx.dll (ID = 763028)
8:15 PM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
8:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || mmxp2passion.exe (ID = 795590)
8:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || system service69 (ID = 813596)
8:15 PM: HKCR\adcom.adcom\ (5 subtraces) (ID = 861148)
8:15 PM: HKCR\adcom.adcom\clsid\ (1 subtraces) (ID = 861150)
8:15 PM: HKCR\adcom.adcom\curver\ (1 subtraces) (ID = 861152)
8:15 PM: HKCR\adcom.adcom.1\ (3 subtraces) (ID = 861154)
8:15 PM: HKCR\adcom.adcom.1\clsid\ (1 subtraces) (ID = 861156)
8:15 PM: HKCR\adcom.pubdoceventhandler\ (5 subtraces) (ID = 861158)
8:15 PM: HKCR\adcom.pubdoceventhandler\clsid\ (1 subtraces) (ID = 861160)
8:15 PM: HKCR\adcom.pubdoceventhandler\curver\ (1 subtraces) (ID = 861162)
8:15 PM: HKCR\adcom.pubdoceventhandler.1\ (3 subtraces) (ID = 861164)
8:15 PM: HKCR\adcom.pubdoceventhandler.1\clsid\ (1 subtraces) (ID = 861166)
8:15 PM: HKCR\adcomtech.popupblocker.toolsmenu\ (5 subtraces) (ID = 861168)
8:15 PM: HKCR\adcomtech.popupblocker.toolsmenu\clsid\ (1 subtraces) (ID = 861170)
8:15 PM: HKCR\adcomtech.popupblocker.toolsmenu\curver\ (1 subtraces) (ID = 861172)
8:15 PM: HKCR\adcomtech.popupblocker.toolsmenu.1\ (3 subtraces) (ID = 861174)
8:15 PM: HKCR\adcomtech.popupblocker.toolsmenu.1\clsid\ (1 subtraces) (ID = 861176)
8:15 PM: HKCR\adcomtech.pubdomextender\ (5 subtraces) (ID = 861178)
8:15 PM: HKCR\adcomtech.pubdomextender\clsid\ (1 subtraces) (ID = 861180)
8:15 PM: HKCR\adcomtech.pubdomextender\curver\ (1 subtraces) (ID = 861182)
8:15 PM: HKCR\adcomtech.pubdomextender.1\ (3 subtraces) (ID = 861184)
8:15 PM: HKCR\adcomtech.pubdomextender.1\clsid\ (1 subtraces) (ID = 861186)
8:15 PM: HKCR\adcomtech.pubwindoweventhandler\ (5 subtraces) (ID = 861188)
8:15 PM: HKCR\adcomtech.pubwindoweventhandler\clsid\ (1 subtraces) (ID = 861190)
8:15 PM: HKCR\adcomtech.pubwindoweventhandler\curver\ (1 subtraces) (ID = 861192)
8:15 PM: HKCR\adcomtech.pubwindoweventhandler.1\ (3 subtraces) (ID = 861194)
8:15 PM: HKCR\adcomtech.pubwindoweventhandler.1\clsid\ (1 subtraces) (ID = 861196)
8:15 PM: HKCR\appid\adcom.dll\ (1 subtraces) (ID = 861200)
8:15 PM: HKCR\appid\{4bc6bfc2-7da8-4d76-bf62-a4843344ac86}\ (1 subtraces) (ID = 861202)
8:15 PM: HKCR\clsid\{83ec9074-6cba-43e8-b7e0-6a3809c4a958}\ (12 subtraces) (ID = 861285)
8:15 PM: HKCR\clsid\{93f764ac-24d1-484f-92ea-3c84e31cdf72}\ (12 subtraces) (ID = 861315)
8:15 PM: HKCR\clsid\{d360501e-dc73-4de6-a61c-21925aed7835}\ (12 subtraces) (ID = 861344)
8:15 PM: HKCR\clsid\{d7950ab4-67f5-458e-a37d-9f2de7f250ac}\ (12 subtraces) (ID = 861364)
8:15 PM: HKCR\clsid\{f9668ada-fc6b-47f4-8381-de861dba5115}\ (12 subtraces) (ID = 861407)
8:15 PM: HKCR\typelib\{4bc6bfc2-7da8-4d76-bf62-a4843344ac86}\ (9 subtraces) (ID = 861421)
8:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || adcomplusanalytic.exe (ID = 861470)
8:15 PM: HKLM\software\microsoft\windows\currentversion\run\ || mc-58-12- (ID = 861471)
8:15 PM: HKLM\software\classes\adcom.adcom\ (5 subtraces) (ID = 861487)
8:15 PM: HKLM\software\classes\adcom.adcom\clsid\ (1 subtraces) (ID = 861489)
8:15 PM: HKLM\software\classes\adcom.adcom.1\ (3 subtraces) (ID = 861493)
8:15 PM: HKLM\software\classes\adcom.adcom.1\clsid\ (1 subtraces) (ID = 861495)
8:15 PM: HKLM\software\classes\adcom.pubdoceventhandler\ (5 subtraces) (ID = 861497)
8:15 PM: HKLM\software\classes\adcom.pubdoceventhandler\clsid\ (1 subtraces) (ID = 861499)
8:15 PM: HKLM\software\classes\adcom.pubdoceventhandler\curver\ (1 subtraces) (ID = 861501)
8:15 PM: HKLM\software\classes\adcom.pubdoceventhandler.1\ (3 subtraces) (ID = 861503)
8:15 PM: HKLM\software\classes\adcom.pubdoceventhandler.1\clsid\ (1 subtraces) (ID = 861505)
8:15 PM: HKLM\software\classes\adcomtech.popupblocker.toolsmenu\ (5 subtraces) (ID = 861507)
8:15 PM: HKLM\software\classes\adcomtech.popupblocker.toolsmenu\clsid\ (1 subtraces) (ID = 861509)
8:15 PM: HKLM\software\classes\adcomtech.popupblocker.toolsmenu.1\ (3 subtraces) (ID = 861513)
8:15 PM: HKLM\software\classes\adcomtech.popupblocker.toolsmenu.1\clsid\ (1 subtraces) (ID = 861515)
8:15 PM: HKLM\software\classes\adcomtech.pubdomextender\ (5 subtraces) (ID = 861517)
8:15 PM: HKLM\software\classes\adcomtech.pubdomextender\clsid\ (1 subtraces) (ID = 861519)
8:15 PM: HKLM\software\classes\adcomtech.pubdomextender\curver\ (1 subtraces) (ID = 861521)
8:15 PM: HKLM\software\classes\adcomtech.pubdomextender.1\ (3 subtraces) (ID = 861523)
8:15 PM: HKLM\software\classes\adcomtech.pubdomextender.1\clsid\ (1 subtraces) (ID = 861525)
8:15 PM: HKLM\software\classes\adcomtech.pubwindoweventhandler\ (5 subtraces) (ID = 861527)
8:15 PM: HKLM\software\classes\adcomtech.pubwindoweventhandler\clsid\ (1 subtraces) (ID = 861529)
8:15 PM: HKLM\software\classes\adcomtech.pubwindoweventhandler\curver\ (1 subtraces) (ID = 861531)
8:15 PM: HKLM\software\classes\adcomtech.pubwindoweventhandler.1\ (3 subtraces) (ID = 861533)
8:15 PM: HKLM\software\classes\adcomtech.pubwindoweventhandler.1\clsid\ (1 subtraces) (ID = 861535)
8:15 PM: HKLM\software\classes\appid\adcom.dll\ (1 subtraces) (ID = 861539)
8:15 PM: HKLM\software\classes\appid\{4bc6bfc2-7da8-4d76-bf62-a4843344ac86}\ (1 subtraces) (ID = 861541)
8:15 PM: HKLM\software\classes\clsid\{83ec9074-6cba-43e8-b7e0-6a3809c4a958}\ (12 subtraces) (ID = 861629)
8:15 PM: HKLM\software\classes\clsid\{93f764ac-24d1-484f-92ea-3c84e31cdf72}\ (12 subtraces) (ID = 861659)
8:15 PM: HKLM\software\classes\clsid\{d360501e-dc73-4de6-a61c-21925aed7835}\ (12 subtraces) (ID = 861688)
8:15 PM: HKLM\software\classes\clsid\{d7950ab4-67f5-458e-a37d-9f2de7f250ac}\ (12 subtraces) (ID = 861708)
8:15 PM: HKLM\software\classes\clsid\{f9668ada-fc6b-47f4-8381-de861dba5115}\ (12 subtraces) (ID = 861751)
8:15 PM: HKLM\software\classes\typelib\{4bc6bfc2-7da8-4d76-bf62-a4843344ac86}\ (9 subtraces) (ID = 861765)
8:15 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d7950ab4-67f5-458e-a37d-9f2de7f250ac}\ (1 subtraces) (ID = 861804)
8:15 PM: HKLM\software\qstat\ || brr (ID = 877670)
8:15 PM: Found Adware: downloadware
8:15 PM: HKU\WRSS_Profile_S-1-5-21-156640315-3615762775-2885428501-501\software\downloadware\ (6 subtraces) (ID = 125353)
8:15 PM: HKU\WRSS_Profile_S-1-5-21-156640315-3615762775-2885428501-501\software\downloadware\ (6 subtraces) (ID = 775210)
8:15 PM: HKU\WRSS_Profile_S-1-5-21-156640315-3615762775-2885428501-500\software\aurora\ (18 subtraces) (ID = 360174)
8:16 PM: HKU\S-1-5-21-156640315-3615762775-2885428501-1003\software\aprps\ (7 subtraces) (ID = 103740)
8:16 PM: HKU\S-1-5-21-156640315-3615762775-2885428501-1003\software\delfin\ (4 subtraces) (ID = 124848)
8:16 PM: HKU\S-1-5-21-156640315-3615762775-2885428501-1003\software\microsoft\internet explorer\searchurl\ (ID = 128212)
8:16 PM: Found Adware: ist software
8:16 PM: HKU\S-1-5-21-156640315-3615762775-2885428501-1003\software\ist\ (3 subtraces) (ID = 129108)
8:16 PM: HKU\S-1-5-21-156640315-3615762775-2885428501-1003\software\dsrch\ (11 subtraces) (ID = 509156)
8:16 PM: HKU\S-1-5-21-156640315-3615762775-2885428501-1003\software\adcom\ (3 subtraces) (ID = 861431)
8:16 PM: HKU\S-1-5-21-156640315-3615762775-2885428501-1003\software\apd123\ (ID = 861435)
8:16 PM: Found Adware: lopdotcom
8:16 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || usrr (ID = 131890)
8:16 PM: HKU\S-1-5-18\software\aurora\ (1 subtraces) (ID = 360174)
8:16 PM: HKU\S-1-5-18\software\adcom\ (3 subtraces) (ID = 861431)
8:16 PM: Registry Sweep Complete, Elapsed Time:00:00:29
8:16 PM: Starting Cookie Sweep
8:16 PM: Found Spy Cookie: 2o7.net cookie
8:16 PM: owner@2o7[2].txt (ID = 1957)
8:16 PM: Found Spy Cookie: yieldmanager cookie
8:16 PM: owner@ad.yieldmanager[2].txt (ID = 3751)
8:16 PM: Found Spy Cookie: adknowledge cookie
8:16 PM: owner@adknowledge[2].txt (ID = 2072)
8:16 PM: Found Spy Cookie: adlegend cookie
8:16 PM: owner@adlegend[1].txt (ID = 2074)
8:16 PM: Found Spy Cookie: hbmediapro cookie
8:16 PM: owner@adopt.hbmediapro[2].txt (ID = 2768)
8:16 PM: Found Spy Cookie: specificclick.com cookie
8:16 PM: owner@adopt.specificclick[2].txt (ID = 3400)
8:16 PM: Found Spy Cookie: adprofile cookie
8:16 PM: owner@adprofile[2].txt (ID = 2084)
8:16 PM: Found Spy Cookie: adrevolver cookie
8:16 PM: owner@adrevolver[1].txt (ID = 2088)
8:16 PM: owner@adrevolver[2].txt (ID = 2088)
8:16 PM: Found Spy Cookie: addynamix cookie
8:16 PM: owner@ads.addynamix[2].txt (ID = 2062)
8:16 PM: Found Spy Cookie: advertising cookie
8:16 PM: owner@advertising[2].txt (ID = 2175)
8:16 PM: Found Spy Cookie: falkag cookie
8:16 PM: owner@as-us.falkag[2].txt (ID = 2650)
8:16 PM: owner@as1.falkag[2].txt (ID = 2650)
8:16 PM: Found Spy Cookie: ask cookie
8:16 PM: owner@ask[1].txt (ID = 2245)
8:16 PM: Found Spy Cookie: atlas dmt cookie
8:16 PM: owner@atdmt[1].txt (ID = 2253)
8:16 PM: Found Spy Cookie: belnk cookie
8:16 PM: owner@ath.belnk[2].txt (ID = 2293)
8:16 PM: Found Spy Cookie: atwola cookie
8:16 PM: owner@atwola[1].txt (ID = 2255)
8:16 PM: Found Spy Cookie: azjmp cookie
8:16 PM: owner@azjmp[1].txt (ID = 2270)
8:16 PM: Found Spy Cookie: banner cookie
8:16 PM: owner@banner[1].txt (ID = 2276)
8:16 PM: owner@belnk[1].txt (ID = 2292)
8:16 PM: Found Spy Cookie: enhance cookie
8:16 PM: owner@c.enhance[1].txt (ID = 2614)
8:16 PM: Found Spy Cookie: zedo cookie
8:16 PM: owner@c5.zedo[2].txt (ID = 3763)
8:16 PM: Found Spy Cookie: casalemedia cookie
8:16 PM: owner@casalemedia[2].txt (ID = 2354)
8:16 PM: owner@cb.adprofile[1].txt (ID = 2085)
8:16 PM: Found Spy Cookie: centrport net cookie
8:16 PM: owner@centrport[1].txt (ID = 2374)
8:16 PM: Found Spy Cookie: hitslink cookie
8:16 PM: owner@counter.hitslink[2].txt (ID = 2790)
8:16 PM: Found Spy Cookie: sextracker cookie
8:16 PM: owner@counter7.sextracker[1].txt (ID = 3362)
8:16 PM: owner@dist.belnk[2].txt (ID = 2293)
8:16 PM: Found Spy Cookie: ru4 cookie
8:16 PM: owner@edge.ru4[2].txt (ID = 3269)
8:16 PM: Found Spy Cookie: exitexchange cookie
8:16 PM: owner@exitexchange[1].txt (ID = 2633)
8:16 PM: Found Spy Cookie: fastclick cookie
8:16 PM: owner@fastclick[1].txt (ID = 2651)
8:16 PM: Found Spy Cookie: starware.com cookie
8:16 PM: owner@h.starware[2].txt (ID = 3442)
8:16 PM: Found Spy Cookie: clickandtrack cookie
8:16 PM: owner@hits.clickandtrack[1].txt (ID = 2397)
8:16 PM: Found Spy Cookie: internetfuel cookie
8:16 PM: owner@internetfuel[1].txt (ID = 2873)
8:16 PM: Found Spy Cookie: domainsponsor cookie
8:16 PM: owner@landing.domainsponsor[1].txt (ID = 2535)
8:16 PM: Found Spy Cookie: mashka cookie
8:16 PM: owner@mashka[1].txt (ID = 2949)
8:16 PM: Found Spy Cookie: ugo cookie
8:16 PM: owner@mediamgr.ugo[2].txt (ID = 3609)
8:16 PM: Found Spy Cookie: mygeek cookie
8:16 PM: owner@mygeek[2].txt (ID = 3041)
8:16 PM: Found Spy Cookie: nextag cookie
8:16 PM: owner@nextag[2].txt (ID = 5014)
8:16 PM: Found Spy Cookie: partypoker cookie
8:16 PM: owner@partypoker[2].txt (ID = 3111)
8:16 PM: Found Spy Cookie: peel network cookie
8:16 PM: owner@peel[2].txt (ID = 3127)
8:16 PM: Found Spy Cookie: overture cookie
8:16 PM: owner@perf.overture[1].txt (ID = 3106)
8:16 PM: Found Spy Cookie: questionmarket cookie
8:16 PM: owner@questionmarket[1].txt (ID = 3217)
8:16 PM: Found Spy Cookie: realmedia cookie
8:16 PM: owner@realmedia[1].txt (ID = 3235)
8:16 PM: Found Spy Cookie: revenue.net cookie
8:16 PM: owner@revenue[2].txt (ID = 3257)
8:16 PM: Found Spy Cookie: rn11 cookie
8:16 PM: owner@rn11[2].txt (ID = 3261)
8:16 PM: Found Spy Cookie: adjuggler cookie
8:16 PM: owner@rotator.adjuggler[1].txt (ID = 2071)
8:16 PM: Found Spy Cookie: server.iad.liveperson cookie
8:16 PM: owner@server.iad.liveperson[1].txt (ID = 3341)
8:16 PM: Found Spy Cookie: serving-sys cookie
8:16 PM: owner@serving-sys[2].txt (ID = 3343)
8:16 PM: owner@sextracker[1].txt (ID = 3361)
8:16 PM: Found Spy Cookie: tradedoubler cookie
8:16 PM: owner@tradedoubler[1].txt (ID = 3575)
8:16 PM: Found Spy Cookie: trafficmp cookie
8:16 PM: owner@trafficmp[1].txt (ID = 3581)
8:16 PM: Found Spy Cookie: tribalfusion cookie
8:16 PM: owner@tribalfusion[1].txt (ID = 3589)
8:16 PM: Found Spy Cookie: tripod cookie
8:16 PM: owner@tripod[1].txt (ID = 3591)
8:16 PM: owner@ugo[1].txt (ID = 3608)
8:16 PM: Found Spy Cookie: epilot cookie
8:16 PM: owner@www.epilot[1].txt (ID = 2622)
8:16 PM: owner@www.starware[1].txt (ID = 3442)
8:16 PM: Found Spy Cookie: tshirthell cookie
8:16 PM: owner@www.tshirthell[1].txt (ID = 3596)
8:16 PM: Found Spy Cookie: upspiral cookie
8:16 PM: owner@www.upspiral[1].txt (ID = 3615)
8:16 PM: Found Spy Cookie: yadro cookie
8:16 PM: owner@yadro[1].txt (ID = 3743)
8:16 PM: Found Spy Cookie: adserver cookie
8:16 PM: owner@z1.adserver[1].txt (ID = 2142)
8:16 PM: owner@zedo[1].txt (ID = 3762)
8:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
8:16 PM: Starting File Sweep
8:16 PM: Found Adware: addestroyer
8:16 PM: c:\documents and settings\all users\application data\addestroyer (1 subtraces) (ID = -2147481464)
8:16 PM: c:\windows\cfgmgr52 (52 subtraces) (ID = -2147479590)
8:16 PM: c:\windows\etb (12 subtraces) (ID = -2147476235)
8:16 PM: a0132409.dll (ID = 155302)
8:16 PM: a0136363.dll (ID = 155302)
8:16 PM: a0128423.dll (ID = 150833)
8:16 PM: a0147214.dll (ID = 150833)
8:16 PM: a0128425.cpl (ID = 150831)
8:16 PM: a0132417.dll (ID = 150833)
8:16 PM: a0147442.dll (ID = 150833)
8:16 PM: a0150261.dll (ID = 150833)
8:16 PM: wuauclt.dll (ID = 150833)
8:16 PM: a0150265.cpl (ID = 150831)
8:16 PM: a0147467.dll (ID = 150833)
8:16 PM: a0147556.dll (ID = 150833)
8:16 PM: a0147218.cpl (ID = 150831)
8:16 PM: a0147443.cpl (ID = 150831)
8:16 PM: a0147558.cpl (ID = 150831)
8:16 PM: a0147468.cpl (ID = 150831)
8:16 PM: f49609.exe (ID = 146393)
8:16 PM: dgdskfs.dll (ID = 150806)
8:16 PM: a0144622.dll (ID = 150833)
8:16 PM: a0129421.dll (ID = 150833)
8:16 PM: a0132437.dll (ID = 150833)
8:16 PM: a0129422.cpl (ID = 150831)
8:16 PM: a0136367.dll (ID = 150833)
8:16 PM: a0132418.cpl (ID = 150831)
8:16 PM: a0146147.dll (ID = 150833)
8:16 PM: a0132438.cpl (ID = 150831)
8:16 PM: a0136359.exe (ID = 155879)
8:16 PM: a0134466.dll (ID = 155302)
8:16 PM: a0139442.exe (ID = 74007)
8:16 PM: a0143613.exe (ID = 155879)
8:16 PM: a0129415.dll (ID = 155302)
8:16 PM: a0139544.dll (ID = 155302)
8:16 PM: a0139542.exe (ID = 155879)
8:16 PM: a0136368.cpl (ID = 150831)
8:16 PM: a0137419.dll (ID = 150833)
8:16 PM: a0135119.exe (ID = 155879)
8:16 PM: a0139550.dll (ID = 150833)
8:16 PM: a0137426.dll (ID = 150833)
8:16 PM: a0143620.dll (ID = 150833)
8:16 PM: a0136378.exe (ID = 59987)
8:16 PM: a0139551.cpl (ID = 150831)
8:16 PM: a0145058.dll (ID = 154552)
8:16 PM: a0138426.exe (ID = 155879)
8:16 PM: a0128415.dll (ID = 150806)
8:16 PM: a0122418.exe (ID = 146385)
8:16 PM: a0109302.dll (ID = 146387)
8:16 PM: a0107273.dll (ID = 146192)
8:16 PM: a0145091.dll (ID = 150833)
8:16 PM: a0143558.dll (ID = 150833)
8:16 PM: a0143559.cpl (ID = 150831)
8:16 PM: a0143552.dll (ID = 150806)
8:16 PM: a0143622.cpl (ID = 150831)
8:16 PM: a0145138.cpl (ID = 150831)
8:16 PM: a0143602.dll (ID = 150833)
8:16 PM: a0149999.dll (ID = 154552)
8:16 PM: a0143614.dll (ID = 150806)
8:16 PM: a0143595.dll (ID = 150806)
8:16 PM: a0142551.exe (ID = 155879)
8:16 PM: a0143615.dll (ID = 155302)
8:16 PM: a0139543.dll (ID = 150806)
8:16 PM: a0138433.dll (ID = 150833)
8:16 PM: a0145085.dll (ID = 155302)
8:16 PM: a0146172.dll (ID = 155302)
8:16 PM: a0143551.exe (ID = 155879)
8:16 PM: a0138434.cpl (ID = 150831)
8:16 PM: a0143594.exe (ID = 155879)
8:16 PM: a0144615.exe (ID = 155879)
8:16 PM: a0141555.dll (ID = 150833)
8:16 PM: Found Adware: exact cashback/bargain buddy
8:16 PM: a0107180.exe (ID = 50519)
8:16 PM: a0118364.exe (ID = 155879)
8:16 PM: a0107179.exe (ID = 50516)
8:16 PM: a0144618.dll (ID = 155302)
8:16 PM: a0136360.dll (ID = 150806)
8:16 PM: a0140553.dll (ID = 150833)
8:16 PM: a0146218.exe (ID = 155879)
8:16 PM: Found Adware: exact software
8:16 PM: a0102129.exe (ID = 137145)
8:16 PM: a0145143.exe (ID = 155879)
8:16 PM: a0140554.cpl (ID = 150831)
8:16 PM: a0147546.dll (ID = 154552)
8:16 PM: a0141556.cpl (ID = 150831)
8:16 PM: a0142559.dll (ID = 150833)
8:16 PM: a0143603.cpl (ID = 150831)
8:16 PM: a0142560.cpl (ID = 150831)
8:16 PM: a0132408.dll (ID = 150806)
8:16 PM: a0134468.exe (ID = 155879)
8:16 PM: a0139446.dll (ID = 150806)
8:16 PM: a0129414.dll (ID = 150806)
8:16 PM: a0134467.dll (ID = 150806)
8:16 PM: a0108301.dll (ID = 146387)
8:16 PM: a0107317.exe (ID = 156191)
8:16 PM: a0106125.exe (ID = 143842)
8:16 PM: a0104117.exe (ID = 111239)
8:16 PM: a0101121.exe (ID = 111239)
8:16 PM: a0095597.exe (ID = 121121)
8:16 PM: a0096613.exe (ID = 121121)
8:16 PM: a0102137.exe (ID = 115631)
8:16 PM: a0123411.exe (ID = 155879)
8:16 PM: a0112306.dll (ID = 161175)
8:16 PM: a0147922.dll (ID = 150833)
8:16 PM: a0149924.dll (ID = 150833)
8:16 PM: a0147925.cpl (ID = 150831)
8:16 PM: a0148934.dll (ID = 150833)
8:16 PM: a0149967.dll (ID = 150833)
8:16 PM: a0148936.cpl (ID = 150831)
8:16 PM: a0149968.cpl (ID = 150831)
8:16 PM: a0149927.cpl (ID = 150831)
8:16 PM: a0128416.dll (ID = 155302)
8:16 PM: a0143593.exe (ID = 146393)
8:16 PM: a0132407.exe (ID = 155879)
8:16 PM: a0136379.exe (ID = 59987)
8:16 PM: a0136380.exe (ID = 59987)
8:16 PM: a0117364.dll (ID = 155302)
8:16 PM: a0113311.dll (ID = 150833)
8:16 PM: a0107298.dll (ID = 146192)
8:16 PM: a0121398.exe (ID = 150537)
8:16 PM: a0111306.dll (ID = 146381)
8:16 PM: a0140547.dll (ID = 155302)
8:16 PM: a0147201.exe (ID = 162540)
8:16 PM: a0107118.dll (ID = 146192)
8:16 PM: a0139465.exe (ID = 161595)
8:16 PM: a0096989.exe (ID = 111239)
8:16 PM: a0132431.dll (ID = 155302)
8:16 PM: a0138436.dll (ID = 154552)
8:16 PM: a0125429.exe (ID = 148264)
8:16 PM: a0150032.dll (ID = 150833)
8:16 PM: Found Adware: 180search assistant/zango
8:16 PM: a0118389.exe (ID = 154294)
8:16 PM: a0120401.dll (ID = 155302)
8:16 PM: a0141549.dll (ID = 155302)
8:16 PM: Found Adware: windows afa internet enhancement
8:16 PM: a0145135.exe (ID = 90520)
8:16 PM: a0110303.exe (ID = 111239)
8:16 PM: a0113304.dll (ID = 146381)
8:16 PM: a0112299.exe (ID = 111239)
8:16 PM: a0113299.exe (ID = 111239)
8:16 PM: a0128413.exe (ID = 146393)
8:16 PM: a0146222.dll (ID = 154552)
8:16 PM: a0141547.exe (ID = 155879)
8:16 PM: a0145136.exe (ID = 90525)
8:17 PM: a0145148.dll (ID = 150833)
8:17 PM: a0147209.dll (ID = 155302)
8:17 PM: a0134460.cpl (ID = 150831)
8:17 PM: a0142553.dll (ID = 155302)
8:17 PM: a0132430.dll (ID = 150806)
8:17 PM: a0138427.dll (ID = 150806)
8:17 PM: Found Adware: internetoptimizer
8:17 PM: a0139432.exe (ID = 125346)
8:17 PM: a0142552.dll (ID = 150806)
8:17 PM: a0108305.dll (ID = 156207)
8:17 PM: a0101126.dll (ID = 146193)
8:17 PM: a0100904.dll (ID = 146193)
8:17 PM: a0109300.exe (ID = 146385)
8:17 PM: a0111312.dll (ID = 143665)
8:17 PM: a0097995.exe (ID = 146191)
8:17 PM: a0123412.dll (ID = 150806)
8:17 PM: a0102128.exe (ID = 137145)
8:17 PM: a0089200.dll (ID = 146192)
8:17 PM: a0122411.exe (ID = 111239)
8:17 PM: a0115372.dll (ID = 150833)
8:17 PM: Found Adware: webhancer
8:17 PM: a0139436.exe (ID = 83829)
8:17 PM: a0102120.exe (ID = 146191)
8:17 PM: a0119401.dll (ID = 155302)
8:17 PM: a0121395.exe (ID = 155879)
8:17 PM: a0145082.exe (ID = 146393)
8:17 PM: a0094426.dll (ID = 143447)
8:17 PM: a0117363.dll (ID = 150806)
8:17 PM: a0098992.exe (ID = 146191)
8:17 PM: a0105125.exe (ID = 146191)
8:17 PM: a0102122.dll (ID = 146193)
8:17 PM: a0139437.exe (ID = 83829)
8:17 PM: f73812.exe (ID = 146393)
8:17 PM: a0096797.exe (ID = 143452)
8:17 PM: a0136381.exe (ID = 59987)
8:17 PM: a0114309.dll (ID = 161617)
8:17 PM: a0139541.exe (ID = 146393)
8:17 PM: a0104120.exe (ID = 146191)
8:17 PM: a0123413.dll (ID = 155302)
8:17 PM: a0120399.dll (ID = 150806)
8:17 PM: a0145137.exe (ID = 154478)
8:17 PM: a0096799.exe (ID = 145339)
8:17 PM: a0119398.dll (ID = 150806)
8:17 PM: a0121399.dll (ID = 83270)
8:17 PM: a0117362.exe (ID = 155879)
8:17 PM: a0125412.dll (ID = 150806)
8:17 PM: a0121402.exe (ID = 146129)
8:17 PM: a0100902.exe (ID = 146191)
8:17 PM: a0136358.exe (ID = 146393)
8:17 PM: a0143629.exe (ID = 154478)
8:17 PM: a0120398.exe (ID = 155879)
8:17 PM: a0117372.dll (ID = 150833)
8:17 PM: a0140546.dll (ID = 150806)
8:17 PM: a0107117.exe (ID = 146191)
8:17 PM: a0101124.exe (ID = 146191)
8:17 PM: a0126409.exe (ID = 155879)
8:17 PM: a0107295.dll (ID = 156206)
8:17 PM: a0132440.dll (ID = 154552)
8:17 PM: a0111303.exe (ID = 146385)
8:17 PM: a0143596.dll (ID = 155302)
8:17 PM: a0144620.exe (ID = 154294)
8:17 PM: a0144625.cpl (ID = 150831)
8:17 PM: a0143621.dll (ID = 161617)
8:17 PM: a0124413.dll (ID = 150806)
8:17 PM: adbltzun.exe (ID = 109655)
8:17 PM: a0116369.dll (ID = 150833)
8:17 PM: a0096986.dll (ID = 143446)
8:17 PM: a0114299.exe (ID = 111239)
8:17 PM: a0134461.dll (ID = 150833)
8:17 PM: a0135125.dll (ID = 150833)
8:17 PM: a0135127.cpl (ID = 150831)
8:17 PM: a0145092.cpl (ID = 150831)
8:17 PM: a0147520.dll (ID = 150833)
8:17 PM: a0150006.cpl (ID = 150831)
8:17 PM: a0147524.cpl (ID = 150831)
8:17 PM: a0145084.dll (ID = 150806)
8:17 PM: a0139433.exe (ID = 133208)
8:17 PM: a0141621.exe (ID = 133208)
8:17 PM: a0141548.dll (ID = 150806)
8:17 PM: a0110308.dll (ID = 146381)
8:17 PM: a0107309.dll (ID = 146387)
8:17 PM: a0124412.exe (ID = 155879)
8:17 PM: a0107310.dll (ID = 146381)
8:17 PM: a0107306.exe (ID = 111239)
8:17 PM: a0111305.dll (ID = 146387)
8:17 PM: a0113312.cpl (ID = 150831)
8:17 PM: a0118380.exe (ID = 146391)
8:17 PM: a0147206.exe (ID = 155879)
8:17 PM: a0150259.dll (ID = 161617)
8:17 PM: npzango.dll (ID = 91103)
8:17 PM: a0145083.exe (ID = 155879)
8:17 PM: a0111302.exe (ID = 146391)
8:17 PM: a0146169.exe (ID = 154478)
8:17 PM: a0146171.exe (ID = 155879)
8:17 PM: a0122419.dll (ID = 150806)
8:17 PM: a0115373.cpl (ID = 150831)
8:17 PM: f39765.exe (ID = 146393)
8:17 PM: a0110296.dll (ID = 156206)
8:17 PM: a0145133.dll (ID = 154552)
8:17 PM: a0108298.exe (ID = 111239)
8:17 PM: a0143628.dll (ID = 154552)
8:17 PM: a0132429.exe (ID = 155879)
8:17 PM: a0138428.dll (ID = 155302)
8:17 PM: a0139553.dll (ID = 154552)
8:17 PM: a0107304.exe (ID = 111239)
8:17 PM: a0088217.exe (ID = 121121)
8:17 PM: a0114306.exe (ID = 162540)
8:17 PM: a0147785.dll (ID = 150833)
8:17 PM: a0150007.dll (ID = 150833)
8:17 PM: a0150033.cpl (ID = 150831)
8:18 PM: vgactl.cpl (ID = 150831)
8:18 PM: a0150121.dll (ID = 150833)
8:18 PM: a0150122.cpl (ID = 150831)
8:18 PM: a0113309.dll (ID = 161617)
8:18 PM: a0130413.exe (ID = 154478)
8:18 PM: a0096795.exe (ID = 121121)
8:18 PM: a0100742.exe (ID = 121121)
8:18 PM: a0128422.dll (ID = 161617)
8:18 PM: a0116367.dll (ID = 161617)
8:18 PM: a0114310.exe (ID = 154294)
8:18 PM: a0134974.exe (ID = 137145)
8:18 PM: a0112304.dll (ID = 146381)
8:18 PM: a0136407.dll (ID = 120160)
8:18 PM: a0126429.exe (ID = 146391)
8:18 PM: a0109298.exe (ID = 111239)
8:18 PM: a0114311.exe (ID = 154478)
8:18 PM: a0126410.dll (ID = 150806)
8:18 PM: a0107272.exe (ID = 146191)
8:18 PM: a0132441.exe (ID = 154478)
8:18 PM: Found Trojan Horse: trojan downloader pops-stop
8:18 PM: a0102146.exe (ID = 113942)
8:18 PM: a0146209.exe (ID = 154294)
8:18 PM: a0115297.exe (ID = 111239)
8:18 PM: a0125428.exe (ID = 162668)
8:18 PM: a0093527.exe (ID = 121121)
8:18 PM: a0094460.exe (ID = 121121)
8:18 PM:
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. I need you to rerun LQFix, and SpySweeper

2. REBOOT your system

3. Then update your Ewido definitions and run Ewido in Safe Mode. Keep the log.

4. Reboot your system

5. Post the Ewido log and a fresh HJT log

Regards,

Trevuren

  • 0

#5
BILLYwubba

BILLYwubba

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:35:10 PM, on 11/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [cashfortool.exe] C:\WINDOWS\System32\cashfortool.exe
O4 - HKLM\..\Run: [Yunguyo.exe] C:\WINDOWS\System32\Yunguyo.exe
O4 - HKLM\..\Run: [w32S3qX] verrm.exe
O4 - HKLM\..\Run: [totiwuw] c:\windows\system32\drzvmo.exe r
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130397530\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ykocrq.exe reg_run
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [h0t2Rkb3V] vb6monui.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Kqultxe] C:\WINDOWS\System32\??anregw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132897353578
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:32:10 PM, 11/27/2005
+ Report-Checksum: 64FA9734

+ Scan result:

C:\Documents and Settings\Owner\Local Settings\Temp\262658_1208_480_1032_79.41.tst -> Trojan.EliteBar.h : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\655826_3460_1740_3432_79.41.tst -> Trojan.EliteBar.h : Cleaned with backup


::Report End
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!


  • Download Trackgoo
    • Save it somewhere you will remember like the Desktop
2. Reboot into Safe Mode
  • Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
3. Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
4. Reboot back to Normal Mode!

5. Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

6. Wait a few seconds and a notepad page will pop up. Copy & Paste those results and place them in the next post along with the results of WinPFind!

Regards,

Trevuren

  • 0

#7
BILLYwubba

BILLYwubba

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
trackqoo:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"CHotkey"="mHotkey.exe"
"LXSUPMON"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"VTPreset"="VTPreset.exe"
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"cashfortool.exe"="C:\\WINDOWS\\System32\\cashfortool.exe"
"Yunguyo.exe"="C:\\WINDOWS\\System32\\Yunguyo.exe"
"w32S3qX"="verrm.exe"
"totiwuw"="c:\\windows\\system32\\drzvmo.exe r"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1130397530\\ee\\AOLHostManager.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"winsync"="C:\\WINDOWS\\System32\\ykocrq.exe reg_run"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- gqkxtsfg
{b64a82d9-ff44-4faa-bdde-c15466f4e50a}
C:\WINDOWS\System32\glkwr.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

Subkey --- TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}
C:\PROGRA~1\TROJAN~1.2\contmenu.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk
desktop.ini
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk
desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
ALSNDMGR.CPL Avance Logic, Inc.
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_02.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
slcpappl.cpl SmartLink
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/14/2004 9:58:36 AM 84480 C:\WINDOWS\aymzcmtscy.exe
PEC2 11/24/2005 6:37:28 PM 76087296 C:\WINDOWS\MEMORY.DMP
aspack 11/24/2005 6:37:28 PM 76087296 C:\WINDOWS\MEMORY.DMP
69.59.186.63 11/24/2005 6:37:28 PM 76087296 C:\WINDOWS\MEMORY.DMP
209.66.67.134 11/24/2005 6:37:28 PM 76087296 C:\WINDOWS\MEMORY.DMP
66.63.167.97 11/24/2005 6:37:28 PM 76087296 C:\WINDOWS\MEMORY.DMP
web-nex 11/24/2005 6:37:28 PM 76087296 C:\WINDOWS\MEMORY.DMP
winsync 11/24/2005 6:37:28 PM 76087296 C:\WINDOWS\MEMORY.DMP

Checking %System% folder...
PEC2 8/18/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 7/16/2005 1:19:00 AM 128000 C:\WINDOWS\SYSTEM32\Dsslji.dat
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/10/2005 9:17:18 PM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 2/28/2002 1:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/29/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 11/21/2002 4:53:02 PM 1807568 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/27/2005 7:31:06 PM S 2048 C:\WINDOWS\bootstat.dat
11/27/2005 6:38:34 PM H 54156 C:\WINDOWS\QTFont.qfn
11/24/2005 11:43:42 PM H 0 C:\WINDOWS\inf\oem21.inf
11/27/2005 6:36:52 PM H 0 C:\WINDOWS\LastGood\INF\oem22.inf
11/27/2005 6:36:52 PM H 0 C:\WINDOWS\LastGood\INF\oem22.PNF
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 1:16:36 PM S 20086 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688-IE6SP1-20051004.130236.cat
11/27/2005 7:31:12 PM H 12288 C:\WINDOWS\system32\config\default.LOG
11/27/2005 7:32:36 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/27/2005 7:31:08 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
11/27/2005 7:32:18 PM H 86016 C:\WINDOWS\system32\config\software.LOG
11/27/2005 7:32:40 PM H 1183744 C:\WINDOWS\system32\config\system.LOG
11/25/2005 10:16:52 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/10/2005 9:47:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0HMJ8TAR\desktop.ini
11/10/2005 9:47:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\655AWU54\desktop.ini
11/10/2005 9:47:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\P8LQPKT6\desktop.ini
11/10/2005 9:47:16 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SLAFW927\desktop.ini
11/27/2005 6:34:08 PM HS 192 C:\WINDOWS\Tasks\RUTASK.job
11/27/2005 7:29:52 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Avance Logic, Inc. 7/16/2002 2:08:00 PM 629248 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 3/4/2002 4:38:02 PM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 3/11/2003 3:07:24 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
SmartLink 7/2/2002 3:40:00 PM 339968 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 2:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Avance Logic, Inc. 7/16/2002 2:08:00 PM 629248 C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/11/2004 9:10:38 AM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/12/2002 6:26:44 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/27/2005 6:33:56 PM 227840 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\piqj.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/12/2002 11:20:24 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
1/31/2005 9:47:48 PM 5 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
8/12/2002 6:26:44 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/12/2002 11:20:24 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
2/17/2003 2:24:56 PM 527 C:\Documents and Settings\Owner\Application Data\Gangsters2Setup.lnk
11/20/2005 1:26:34 AM 1568 C:\Documents and Settings\Owner\Application Data\mpauth.dat
UPX! 7/25/2005 11:22:42 PM 280064 C:\Documents and Settings\Owner\Application Data\tizhook.bin
8/2/2005 10:04:42 PM 10 C:\Documents and Settings\Owner\Application Data\tizhook.vers
7/25/2005 11:22:36 PM 137942 C:\Documents and Settings\Owner\Application Data\tizupd.bin

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=none =
acc=partos =
(partos) =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gqkxtsfg
{b64a82d9-ff44-4faa-bdde-c15466f4e50a} = C:\WINDOWS\System32\glkwr.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
CNavExtBho Class = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6224f700-cba3-4071-b251-47cb894244cd}
ButtonText = ICQ : C:\Program Files\ICQ\ICQ.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
MenuText = Java :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\aim\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = AOL Toolbar : C:\Program Files\AOL Toolbar\toolbar.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Norton Internet Security 2006 : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SoundMan SOUNDMAN.EXE
CHotkey mHotkey.exe
LXSUPMON C:\WINDOWS\System32\LXSUPMON.EXE RUN
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
HPHmon04 C:\WINDOWS\System32\hphmon04.exe
HPHUPD04 "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
VTPreset VTPreset.exe
BearShare "C:\Program Files\BearShare\BearShare.exe" /pause
cashfortool.exe C:\WINDOWS\System32\cashfortool.exe
Yunguyo.exe C:\WINDOWS\System32\Yunguyo.exe
w32S3qX verrm.exe
totiwuw c:\windows\system32\drzvmo.exe r
HostManager C:\Program Files\Common Files\AOL\1130397530\ee\AOLHostManager.exe
AOLDialer C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
winsync C:\WINDOWS\System32\ykocrq.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
HLinit c:\progra~1\themexp\themex~1.org\hlsetup2.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ares "C:\Program Files\Ares\Ares.exe" -h
h0t2Rkb3V vb6monui.exe
AIM C:\Program Files\aim\aim.exe -cnetwait.odl
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Kqultxe C:\WINDOWS\System32\??anregw.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 255
_NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/27/2005 7:39:33 PM
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1. Please download the Killbox by Option^Explicit and Save it to your desktop

2. Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop. NOTE: The word REGEDIT4 is part of the text to be copied

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gqkxtsfg]

[-HKEY_CLASSES_ROOT\CLSID\{b64a82d9-ff44-4faa-bdde-c15466f4e50a}]


3. Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot
    • From the main Killbox Window, Select Options>>Delete on Reboot>>Process all in List
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\aymzcmtscy.exe
    C:\WINDOWS\System32\ykocrq.exe
    C:\WINDOWS\System32\glkwr.dll


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


4. Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

5. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ykocrq.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

6. REBOOT back in Normal Mode

7. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#9
BILLYwubba

BILLYwubba

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
when i went to HJT, and did the scan the file(O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ykocrq.exe reg_run) wasnt listed. Here is the log from that scan:

Logfile of HijackThis v1.99.1
Scan saved at 12:29:15 AM, on 11/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\common files\aol\1130397530\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [cashfortool.exe] C:\WINDOWS\System32\cashfortool.exe
O4 - HKLM\..\Run: [Yunguyo.exe] C:\WINDOWS\System32\Yunguyo.exe
O4 - HKLM\..\Run: [w32S3qX] verrm.exe
O4 - HKLM\..\Run: [totiwuw] c:\windows\system32\drzvmo.exe r
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130397530\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [h0t2Rkb3V] vb6monui.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Kqultxe] C:\WINDOWS\System32\??anregw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132897353578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133146952296
O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
    O4 - HKLM\..\Run: [cashfortool.exe] C:\WINDOWS\System32\cashfortool.exe
    O4 - HKLM\..\Run: [Yunguyo.exe] C:\WINDOWS\System32\Yunguyo.exe
    O4 - HKLM\..\Run: [w32S3qX] verrm.exe
    O4 - HKLM\..\Run: [totiwuw] c:\windows\system32\drzvmo.exe r
    O4 - HKCU\..\Run: [h0t2Rkb3V] vb6monui.exe
    O4 - HKCU\..\Run: [Kqultxe] C:\WINDOWS\System32\??anregw.exe
    O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
    O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab



  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\WINDOWS\System32\cashfortool.exe
    C:\WINDOWS\System32\Yunguyo.exe
    verrm.exe<==You will have to do a Search for this one
    c:\windows\system32\drzvmo.exe
    vb6monui.exe
    C:\WINDOWS\System32\??anregw.exe

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0

#11
BILLYwubba

BILLYwubba

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:45:58 AM, on 11/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...page/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130397530\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ykocrq.exe reg_run
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1132897353578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133146952296
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
You apparently revisited the same site that originally gave you the Qoologic infection (wynsinc) for it is back after having been eradicated. Other than that, your log looks pretty good.

1. Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Trackgoo
    • Save it somewhere you will remember like the Desktop
2. Reboot into Safe Mode
  • Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
3. Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
4. Reboot back to Normal Mode!

5. Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

6. Wait a few seconds and a notepad page will pop up. Copy & Paste those results and place them in the next post along with the results of WinPFind!

Regards,

Trevuren

Edited by Trevuren, 29 November 2005 - 01:29 AM.

  • 0

#13
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP