Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Spyware/Malware problems ... still! [RESOLVED]

Started by atome , Jul 12 2005 11:52 AM

This topic is locked

#16
atome

Posted 22 July 2005 - 09:06 PM

Member

Topic Starter
Member
23 posts

dllcompare.exe logfile

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :tazz:

"
________________________________________________

1,502 items found: 1,501 files, 1 directory.
Total of file sizes: 320,830,104 bytes 305.96 M

Administrator Account = True

--------------------End log---------------------

RootKitRevealer logfile

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E4C0000.VBN 7/22/2005 10:51 PM 56.53 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E640000.VBN 7/22/2005 10:51 PM 7.00 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][1].txt 7/22/2005 10:39 PM 469 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][2].txt 7/22/2005 10:44 PM 562 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][1].txt 7/22/2005 12:59 PM 205 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][2].txt 7/22/2005 10:43 PM 258 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][1].txt 7/22/2005 12:59 PM 1.26 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][2].txt 7/22/2005 10:41 PM 1.37 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temp\~DF960A.tmp 7/22/2005 10:35 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\07[1].js 7/22/2005 10:41 PM 245 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\30[1].js 7/22/2005 4:59 PM 811 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\55[1].js 7/22/2005 4:59 PM 1.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\57[1].js 7/22/2005 4:59 PM 1.25 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\59[1].js 7/22/2005 10:41 PM 4.41 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\63[1].js 7/21/2005 9:09 PM 171 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\72[2].js 7/22/2005 4:59 PM 3.24 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\87[1].js 7/22/2005 10:41 PM 422 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\adtrack[1].htm 7/22/2005 10:43 PM 1.88 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\adview[6].htm 7/22/2005 10:41 PM 19 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\AIM_text[1].htm 7/21/2005 9:46 PM 1.76 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\AIM_text[2].htm 7/22/2005 10:52 PM 1.74 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\aimInc[1].js 7/22/2005 10:39 PM 7.70 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\aol[1].htm 7/22/2005 10:31 PM 893 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\aol[6].swf 7/22/2005 10:53 PM 14.28 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\CAKL2FOD 7/22/2005 10:41 PM 3.71 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\EWTRACK_I[1].flv&bw=600&itr=vstop&num=2&time=6917 7/22/2005 10:39 PM 3 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\ewtrack_v1[2].gif 7/22/2005 10:39 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\ewtrack_v[1].gif 7/22/2005 10:39 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\flashform2[1].asp 7/22/2005 10:41 PM 2.54 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\flashform2[1].htm 7/22/2005 10:41 PM 7.60 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\footer[1].htm 7/22/2005 10:41 PM 408 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\gridOptions[2].asp 7/22/2005 10:41 PM 4.37 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\gridOptions[2].htm 7/22/2005 10:41 PM 17.80 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\optn=1[1].gif 7/22/2005 10:41 PM 19.82 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\ot_160x600_prem_wed[1].jpg 7/22/2005 10:41 PM 27.90 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\OVERFLOWfailover[1].gif 7/22/2005 10:44 PM 6.19 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\PointRollAds[1].htm 7/22/2005 10:41 PM 1.19 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\popup[1].htm 7/22/2005 10:39 PM 405 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\17C4RTJA\rsi_inc[1].htm 7/22/2005 4:59 PM 9.69 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\01[1].htm 7/22/2005 10:54 PM 369 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\29[1].js 7/22/2005 10:41 PM 714 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\55[1].js 7/22/2005 10:41 PM 1.86 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\58[2].js 7/22/2005 4:59 PM 664 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\59[1].js 7/22/2005 4:59 PM 4.33 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\94[1].js 7/22/2005 10:41 PM 413 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\adview[6].htm 7/22/2005 10:41 PM 19 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\AIM_5star[1].swf 7/22/2005 10:39 PM 4.37 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\aol[11].swf 7/22/2005 10:44 PM 14.28 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\aol[12].swf 7/22/2005 10:54 PM 14.28 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\closerlook_inc[1].htm 7/22/2005 10:41 PM 323 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\ewtrack[1].gif 7/22/2005 10:39 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\ewtrack[2].gif 7/22/2005 10:44 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\EWTRACK_V[1].flv&bw=600&vlen=30&per=0 7/22/2005 10:39 PM 3 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\housead_BigSportsGuide[1].gif 7/22/2005 10:41 PM 2.11 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\iframeright[1].asp 7/22/2005 10:41 PM 1.13 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\index[3].htm 7/22/2005 10:41 PM 198.00 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\Mead_5Star_120x80-600[1].flv 7/22/2005 10:39 PM 167.85 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\search[57].htm 7/22/2005 10:41 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\tvgo[2].htm 7/22/2005 10:41 PM 18.65 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1KR4FNHT\vw_iframe_120_90[1].htm 7/22/2005 10:43 PM 975 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\30[1].js 7/22/2005 10:41 PM 811 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\42[1].js 7/22/2005 10:41 PM 1.58 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\5star300x250sm[2].swf 7/22/2005 10:39 PM 14.27 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\5starPreloader[1].jpg 7/22/2005 10:39 PM 10.55 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\63[1].js 7/22/2005 10:41 PM 171 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\87[1].js 7/21/2005 9:09 PM 422 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\94[1].js 7/22/2005 4:59 PM 413 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\adview[6].htm 7/22/2005 10:41 PM 19 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\aimInc[1].js 7/22/2005 10:44 PM 6.81 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\aol[9].swf 7/22/2005 10:45 PM 14.28 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\C6102_120_90[1].js 7/22/2005 10:43 PM 1.58 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\CAYBS1KH.gif 7/22/2005 10:41 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\closerlook_inc[1].htm 7/22/2005 4:59 PM 323 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\ewtrack[1].gif 7/22/2005 10:39 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\EWTRACK_I[1].swf&itr=openPopupRollover&num=1&time=5140 7/22/2005 10:39 PM 3 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\footer[1].htm 7/22/2005 4:59 PM 408 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\grid[1].asp 7/22/2005 10:41 PM 34.80 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\grid[1].htm 7/22/2005 10:41 PM 182.45 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\iframebot[1].asp 7/22/2005 10:41 PM 1.13 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\iframetop[1].htm 7/22/2005 4:59 PM 2.09 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\index[6].htm 7/22/2005 10:37 PM 198.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\listings[1].htm 7/22/2005 10:41 PM 34.85 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\optn=1[3] 7/22/2005 10:41 PM 392 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\PRServe[1].htm 7/22/2005 10:41 PM 171 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\rsi_inc[1].htm 7/22/2005 10:41 PM 9.69 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\search[57].htm 7/22/2005 10:41 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\1NLPIJCS\tvgo[2].htm 7/22/2005 10:41 PM 18.65 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\57[1].js 7/22/2005 10:41 PM 1.25 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\58[1].js 7/22/2005 10:41 PM 664 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\5star300x250[1].swf 7/22/2005 10:39 PM 28.72 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\72[1].js 7/22/2005 10:41 PM 3.24 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\adstracking[2].gif 7/22/2005 10:43 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\adview[11].htm 7/22/2005 10:41 PM 19 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\adview[12].htm 7/22/2005 10:41 PM 19 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\aol[10].swf 7/22/2005 10:53 PM 14.28 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\asldata[1].js 7/22/2005 10:41 PM 133 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\bwtest[1].swf 7/22/2005 10:39 PM 37.11 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\CA6ZQF2P 7/22/2005 10:37 PM 2.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\dot[1].gif 7/22/2005 10:39 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\ewtrack_f1[1].gif 7/22/2005 10:44 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\ewtrack_v2[1].gif 7/22/2005 10:39 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\flashform2[1].htm 7/22/2005 4:59 PM 7.60 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\iframetop[1].htm 7/22/2005 10:41 PM 2.09 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\listings[1].htm 7/22/2005 2:14 PM 34.86 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\PointRollAds[1].htm 7/22/2005 10:41 PM 729 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\popup[1].js 7/22/2005 10:39 PM 5.47 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\R67A3SIA\vw_script_120_90[1].js 7/22/2005 10:43 PM 620 bytes Hidden from Windows API.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050720.017\vscanmsx.dat 7/22/2005 10:48 PM 2.02 KB Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP203\A0020449.exe 2/11/2005 10:46 AM 52.94 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP203\A0020450.reg 2/8/2005 3:33 AM 3.41 KB Visible in Windows API, but not in MFT or directory index.

Hope that's it!

Allison

#17
kool808

Posted 23 July 2005 - 06:58 AM

Visiting Staff

Member
1,690 posts

Okay that is a good sign no malwares are hiding! Very good indication! Just a few more steps then we are going bye-bye Qoologic bye-bye malwares! :tazz:

Download and install Cleanup.

Now run CleanUp. When you click the Close button you will be prompted to reboot, agree to it.

Open HijackThis
go to Config, then Misc Tools
Open Uninstall Manager, then click Save List...
Post the results here.
close HJT

Have an On-line scan at this sites: Trend Micro or Panda Scan or BitDefender.

Post all requested Log results along with a fresh HijackThis Log.

#18
atome

Posted 23 July 2005 - 01:59 PM

Member

Topic Starter
Member
23 posts

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
AOL Instant Messenger
AOL Toolbar 2.0
CCHelp
CCScore
CleanUp!
Conexant D480 MDC V.9x Modem
Content Delivery Module
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support 5.0.0 (630)
Desktop Weather by The Weather Channel
Digital Line Detect
D-Link AirPlus G Wireless LAN Adapter
EarthLink Setup Files
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSvpaht
ESSvpot
ewido security suite
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HLPIndex
HLPRFO
Intel® Extreme Graphics 2 Driver
Internet Explorer Default Page
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
KODAK EASYSHARE Gallery Upload ActiveX Control
Kodak EasyShare printer dock
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
LimeWire 4.8.1
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Professional Edition 2003
Modem Helper
Musicmatch® Jukebox
NetWaiting
Notifier
OfotoXMI
OIN
OTtBP
OTtBPSDK
PCDADDIN
PCDHELP
PCDLNCH
PowerDVD 5.1
Quick Links
QuickSet
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
SFR
SFR2
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
SpywareBlaster v3.4
SpywareGuard v2.2
Symantec AntiVirus Client
Symantec Client Firewall
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
VBRunDLL
Viewpoint Media Player
VPRINTOL
Weather Services
Webshots Desktop
Windows AFA Internet Enhancement
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WordPerfect Office 12

HijackThis logfile

Logfile of HijackThis v1.99.1
Scan saved at 9:25:16 AM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\PD6000SM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\system32\PD6000SM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

PandaScan

Incident Status Location

Adware:adware/pacimedia No disinfected C:\WINDOWS\SYSTEM32\ps1.exe
Adware:adware/afaenhance No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/wintools No disinfected C:\WINDOWS\hisistheurls.exe
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/wupd No disinfected C:\PROGRAM FILES\AdTools Service
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\CasStub
Adware:adware/imgiant No disinfected C:\PROGRAM FILES\joystick networks
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/beginto No disinfected C:\WINDOWS\SYSTEM32\cache32_rtneg4
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALLISON TOME\START MENU\PROGRAMS\AdDestroyer
Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/M67M.OCX
Adware:adware/novo No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CDM
Adware:adware/cws.searchmeup No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\VBRUNDLL
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/bigtrafficnet No disinfected HKEY_CLASSES_ROOT\BTNETW.AMO
Spyware:spyware/surfsidekick No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SURFSIDEKICK3
Adware:adware/delfinmedia No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\VIDCTRL
Adware:adware/weirdontheweb No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\WEIRDONTHEWEB
Spyware:spyware/istbar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\Y036
Spyware:spyware/bargainbuddy No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\BARGAINBUDDY
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/MediaTickets No disinfected C:\trufkz.html
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe

#19
kool808

Posted 23 July 2005 - 04:32 PM

Visiting Staff

Member
1,690 posts

Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Do NOT run the scan yet!

Please download [ Spybot Search & Destroy 1.4 ].

1. Install Spybot S&D, accepting the Default Settings
2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
3. Close ALL windows except Spybot S&D
4. Click the button to ‘Search for Updates’ then download and install the Updates.
5. Once the update is complete, do NOT run the scans yet.
6. Close Spybot S&D

Reboot in SAFE MODE. (How to boot in Safe Mode...)
++++++++++++++++++++++++++++++++++++++++++++

Uninstallation
We need to uninstall the following programs:
Go to Control Panel > Add/Remove Programs
Please locate if they exist
- LimeWire 4.8.1
  
  This depends on the version of your P2P: http://www.spywareinfo.com/articles/p2p/
Click Uninstall
Confirm with OK

Open Ad-aware and do a full scan. Remove all it finds. Save a REPORT LOG.

1. Open Spybot, next click the button ‘Check for Problems'
2. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' Entries and ‘GREEN’ entries in the window
3. Make certain there is a check mark beside all of the RED entries ONLY.
4. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries. Save a LOG if applicable.

Run CLEANUP! This will reboot to NORMAL MODE.
++++++++++++++++++++++++++++++++++++++++++++

Run the Panda Scan again.

++++++++++++++++++++++++++++++++++++++++++++

Open up the MS-DOS Prompt
type in cd\
cd progra~1 or cd program files
dir *.* >> c:\pflist.txt
exit
In your windows explorer locate c:\pflist.txt
post the results here

++++++++++++++++++++++++++++++++++++++++++++
Separate each logs with a title on it.

Close all windows, open HijackThis then SCAN.
Post a NEW HijackThis Log.
Post the log from Ad-Aware and Spybot S&D.
Post the results from Panda Scan.
Post the results from Program File list.
Please tell me how your system is working now.

#20
atome

Posted 24 July 2005 - 10:00 PM

Member

Topic Starter
Member
23 posts

HijackThis Log Report

Logfile of HijackThis v1.99.1
Scan saved at 11:53:27 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\PD6000SM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\SYSTEM32\SPIDER.EXE
C:\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\system32\PD6000SM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ad-Aware log

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, July 24, 2005 9:38:21 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R56 21.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):18 total references
Tracking Cookie(TAC index:3):3 total references
VX2(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

7-24-2005 9:38:21 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Allison Tome\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\Allison Tome\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : S-1-5-21-4261558862-3284301128-1328160310-1006\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-4261558862-3284301128-1328160310-1006\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-4261558862-3284301128-1328160310-1006\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-4261558862-3284301128-1328160310-1006\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-4261558862-3284301128-1328160310-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-4261558862-3284301128-1328160310-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-4261558862-3284301128-1328160310-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio

MRU List Object Recognized!
Location: : S-1-5-21-4261558862-3284301128-1328160310-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 128
ThreadCreationTime : 7-25-2005 2:37:24 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 176
ThreadCreationTime : 7-25-2005 2:37:34 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 200
ThreadCreationTime : 7-25-2005 2:37:35 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 244
ThreadCreationTime : 7-25-2005 2:37:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 256
ThreadCreationTime : 7-25-2005 2:37:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 404
ThreadCreationTime : 7-25-2005 2:37:42 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 468
ThreadCreationTime : 7-25-2005 2:37:43 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 524
ThreadCreationTime : 7-25-2005 2:37:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 724
ThreadCreationTime : 7-25-2005 2:37:53 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 804
ThreadCreationTime : 7-25-2005 2:38:09 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : folder\shellex\columnhandlers\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6ec11407-5b2e-4e25-8bdf-77445b52ab37}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 20

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : allison tome@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:allison [email protected]/
Expires : 7-23-2010 9:23:36 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : allison tome@247realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:allison [email protected]/
Expires : 12-31-2010 7:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : allison [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:allison [email protected]/
Expires : 8-23-2005 9:23:36 PM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 23

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
56 entries scanned.
New critical objects:0
Objects found so far: 23

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegData
Data : explorer.exe
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 24

9:47:58 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:36.549
Objects scanned:111982
Objects identified:6
Objects ignored:0
New critical objects:6

Spybot S&D Report

--- Search result list ---
AbetterInternet: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}

AbetterInternet: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{BC54B24C-5A97-4C19-9181-8B8A05B2E931}

AbetterInternet: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{BD9584EF-C28C-4F6D-8D49-0CEE3C0E442F}

AbetterInternet: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{C7888681-1A83-4C14-B9A5-95F91240B44F}

AbetterInternet: Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{BF56BE6A-0AEA-45F3-8B10-7312876584A8}

AbetterInternet: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\btnetw.amo

AbetterInternet: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\btnetw.amo.1

AbetterInternet: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C7888681-1A83-4C14-B9A5-95F91240B44F}

AbetterInternet: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\btnetw.iiittt

AbetterInternet: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\btnetw.iiittt.1

AbetterInternet: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{BD9584EF-C28C-4F6D-8D49-0CEE3C0E442F}

AbetterInternet: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\btnetw.momo

AbetterInternet: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\btnetw.momo.1

AbetterInternet: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{BC54B24C-5A97-4C19-9181-8B8A05B2E931}

AbetterInternet: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\btnetw.ohb

AbetterInternet: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\btnetw.ohb.1

AbetterInternet: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}

AbetterInternet: Executable (File, nothing done)
C:\WINDOWS\SYSTEM32\InstallerV3.exe

AbetterInternet: Data (File, nothing done)
C:\WINDOWS\SYSTEM32\ps31.ico

AbetterInternet: Data (File, nothing done)
C:\WINDOWS\SYSTEM32\vhe233a1.ico

AbetterInternet: Picture (File, nothing done)
C:\WINDOWS\SYSTEM32\xbox_round1.bmp

ISearchTech.YSB: Module usage (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll

ISearchTech.YSB: Shared DLL (1 apps) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

Pacimedia: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-4261558862-3284301128-1328160310-1006\Software\PS1

MediaMotor: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{466C63AC-F26E-49F1-861A-E07DA768A46A}

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-04-26 Includes\Cookies.sbi (*)
2005-07-11 Includes\Dialer.sbi (*)
2005-07-15 Includes\Hijackers.sbi (*)
2005-06-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-07-15 Includes\Malware.sbi (*)
2005-06-09 Includes\PUPS.sbi (*)
2005-04-27 Includes\Revision.sbi (*)
2005-06-09 Includes\Security.sbi (*)
2005-07-15 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-07-15 Includes\Trojans.sbi (*)

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)

--- Startup entries list ---
Located: HK_LM:Run, Dell QuickSet
command: C:\Program Files\Dell\QuickSet\quickset.exe
file: C:\Program Files\Dell\QuickSet\quickset.exe
size: 487424
MD5: bcb51885bc7e253c9abeb8ac2c0fd0ff

Located: HK_LM:Run, DVDLauncher
command: "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
file: C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
size: 53248
MD5: 6a66b6a314f6ef30cd1cf82a17daad52

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 118784
MD5: ea5dd164296f66241bead39e12fa69f2

Located: HK_LM:Run, iamapp
command: C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
file: C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
size: 373976
MD5: 6d51e31b06a8b2a5f449f3ec727611de

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 155648
MD5: 8bbbada96ffe1449edd39256eda99cd8

Located: HK_LM:Run, MimBoot
command: C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
file: C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
size: 11776
MD5: d7bac36b6dea03513e04bcae60bab4a1

Located: HK_LM:Run, MMTray
command: "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
size: 110592
MD5: ab98c64b4576b6f3e573739d5600aa51

Located: HK_LM:Run, PCMService
command: "C:\Program Files\Dell\Media Experience\PCMService.exe"
file: C:\Program Files\Dell\Media Experience\PCMService.exe
size: 290816
MD5: e02c0e78e5cfb01bf9d1866dba18b456

Located: HK_LM:Run, PD6000StatusMonitor
command: C:\WINDOWS\system32\PD6000SM.EXE
file: C:\WINDOWS\system32\PD6000SM.EXE
size: 266240
MD5: 0adfebbcd0c6ab90991c5129c918b8fc

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: fc9f5c5d87d0a6d1e10773d20cb3c3ef

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
file: C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
size: 32881
MD5: ed85b344e6edc30c1bc57ec1a2a56bf3

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 536576
MD5: dae4480de163e7827f3c773d24d872e7

Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 98304
MD5: 77bcebe7dc9c4d059b10ddb90aa0edc1

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: b8e684df9a97497edd2f87444a6307fb

Located: HK_LM:Run, UpdateManager
command: "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
file: C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
size: 110592
MD5: 22fd4e58d69969a9165721c797d54931

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
file: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
size: 90112
MD5: 4b954730657f43b88a308c41fe570331

Located: HK_LM:RunOnceEx,
command:
file:

Located: HK_CU:Run, AIM
command: C:\Program Files\AIM\aim.exe -cnetwait.odl
file:

Located: HK_CU:Run, DellSupport
command: "C:\Program Files\Dell Support\DSAgnt.exe" /startup
file: C:\Program Files\Dell Support\DSAgnt.exe
size: 306688
MD5: cea4715092cb7984420dbc9f51fb4c35

Located: HK_CU:Run, DW4
command: "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
file: C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
size: 569344
MD5: 5f489bf908898bd7195ec1f43b23a9d6

Located: HK_CU:Run, MoneyAgent
command: "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
file: C:\Program Files\Microsoft Money\System\mnyexpr.exe
size: 200704
MD5: b0342cdf37f346704708c6d924028a5a

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74e6e96c6f0e2eca4edbb7f7a468f259

Located: Startup (common), America Online 9.0 Tray Icon.lnk
command: C:\Program Files\America Online 9.0\aoltray.exe
file: C:\Program Files\America Online 9.0\aoltray.exe
size: 36953
MD5: 6c56af320e0c65b14b3b36f655a5c68e

Located: Startup (common), Digital Line Detect.lnk
command: C:\Program Files\Digital Line Detect\DLG.exe
file: C:\Program Files\Digital Line Detect\DLG.exe
size: 24576
MD5: b66e56733e2cd6a10fda5919625fbf46

Located: Startup (common), D-Link AirPlus G Wireless Utility.lnk
command: C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
file: C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
size: 372736
MD5: 106f734f0fa28565063a673f2c2bb93b

Located: Startup (common), Kodak EasyShare software.lnk
command: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
file: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
size: 757760
MD5: 5849e088d0318421376e633018abe6f9

Located: Startup (user), SpywareGuard.lnk
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87

Located: Startup (user), Webshots.lnk
command: C:\Program Files\Webshots\Launcher.exe
file: C:\Program Files\Webshots\Launcher.exe
size: 45056
MD5: 333756209c244eb507f07a7293d831f0

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll

--- Browser helper object list ---
{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 6/9/2005 10:06:40 PM
Date (last access): 7/24/2005 10:52:16 PM
Date (last write): 6/18/2005 6:48:34 PM
Filesize: 1147904
Attributes: readonly archive
MD5: 92A0343FA82B36A04E00F0049123EA6C
CRC32: 09DC3CD7
Version: 3.0.123.2

--- ActiveX list ---
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft....204&clcid=0x409
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 1/28/2005 3:38:00 PM
Date (last access): 7/24/2005 5:22:32 PM
Date (last write): 6/6/2005 11:29:58 AM
Filesize: 459016
Attributes: archive
MD5: A3365D6BF3329CD4C366380A6D2112F9
CRC32: 9288196E
Version: 1.2.59.0

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.micros...ontent/opuc.cab
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 8/27/2003 5:10:30 AM
Date (last access): 7/24/2005 10:52:50 PM
Date (last write): 8/27/2003 5:10:30 AM
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 11.0.5626.0

{6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class)
DPF name:
CLSID name: Ofoto Upload Manager Class
Installer: C:\WINDOWS\Downloaded Program Files\axofupld.inf
Codebase: http://www.kodakgall..._1/axofupld.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: axofupld.dll
Short name:
Date (created): 11/5/2003 12:24:56 AM
Date (last access): 7/24/2005 10:52:04 PM
Date (last write): 6/16/2005 10:00:06 AM
Filesize: 184392
Attributes: archive
MD5: D4477289D752C66F686D0F9F1580A3C6
CRC32: 688A020E
Version: 1.0.1.54

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://www.pandasoft.../as5/asinst.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 6/24/2005 9:44:30 AM
Date (last access): 7/24/2005 10:52:04 PM
Date (last write): 6/24/2005 9:44:30 AM
Filesize: 131072
Attributes: archive
MD5: 794F7D10634EF24DC4B44E5EB09F2E52
CRC32: A5BF5B5E
Version: 57.7.0.0

{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_03
Installer:
Codebase: http://java.sun.com/...indows-i586.cab
Path: C:\Program Files\Java\j2re1.4.2_03\bin\
Long name: NPJPI142_03.dll
Short name: NPJPI1~1.DLL
Date (created): 11/19/2003 6:48:18 PM
Date (last access): 7/23/2005 10:48:24 AM
Date (last write): 11/19/2003 6:48:12 PM
Filesize: 65650
Attributes: archive
MD5: 2AD31341BE41AC9B086128AD86A2B53F
CRC32: 081CFB35
Version: 1.4.2.30

--- Process list ---
PID: 0 ( 0) [System]
PID: 128 ( 4) \SystemRoot\System32\smss.exe
PID: 176 ( 128) \??\C:\WINDOWS\system32\csrss.exe
PID: 200 ( 128) \??\C:\WINDOWS\system32\winlogon.exe
PID: 244 ( 200) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 256 ( 200) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 404 ( 244) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 468 ( 244) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 524 ( 244) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 724 ( 704) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1008 ( 724) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 7/24/2005 10:55:12 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.hotmail.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.dell4me.com/myway
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.dell4me.com/myway
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.dell4me.com/myway
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchasst.htm

--- Winsock Layered Service Provider list ---

--- Uninstall list ---
Ad-Aware SE Personal 1.06 (Ad-Aware SE Personal)
uninstall cmd: C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.com

(AddressBook)

Adobe Atmosphere Player for Acrobat and Adobe Reader (Adobe Atmosphere Player)
uninstall cmd: C:\WINDOWS\atmoUn.exe

(AIMToolbar)

America Online (Choose which version to remove) (America Online us)
uninstall cmd: C:\Program Files\Common Files\aolshare\Aolunins_us.exe

AOL Instant Messenger (AOL Instant Messenger)
uninstall cmd: C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=

AOL Toolbar 2.0 (AOL Toolbar)
uninstall cmd: "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"

AOL Coach Version 1.0(Build:20030807.3) (AolCoach)
uninstall cmd: C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe

(Branding)

Content Delivery Module (CDM)
uninstall cmd: "C:\WINDOWS\inscdm\lmsvxrihgv.exe" -Uninstall

CleanUp! (CleanUp!)
uninstall cmd: C:\Program Files\CleanUp!\uninstall.exe

Conexant D480 MDC V.9x Modem (CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1)
uninstall cmd: C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf

(Connection Manager)

Dell Digital Jukebox Driver (Dell Digital Jukebox Driver)
uninstall cmd: C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s

Dell Support 5.0.0 (630) (DellSupport)
uninstall cmd: rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall

Desktop Weather by The Weather Channel (Desktop Weather by The Weather Channel)
uninstall cmd: C:\PROGRA~1\THEWEA~1\DESKTO~1\UNWISE.EXE C:\PROGRA~1\THEWEA~1\DESKTO~1\INSTALL.LOG

(DirectAnimation)

(DirectDrawEx)

(dlatray.exe)
uninstall cmd: C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

(DXM_Runtime)

ewido security suite (ewidosecuritysuite)
install location: C:\Program Files\ewido\security suite
uninstall cmd: C:\Program Files\ewido\security suite\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net

(Fontcore)

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

(InstallShield Uninstall Information)

Windows XP Hotfix - KB834707 20040929.110854 (KB834707)
uninstall cmd: C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=834707

Windows XP Hotfix - KB867282 20050127.090417 (KB867282)
uninstall cmd: C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=867282

Windows XP Hotfix - KB873333 20050114.005213 (KB873333)
uninstall cmd: C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=873333

Windows XP Hotfix - KB873339 20041117.092459 (KB873339)
uninstall cmd: C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=873339

Security Update for Windows XP (KB883939) 1 (KB883939)
install date: 20050616
uninstall cmd: "C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=883939

(KB884016)

Windows XP Hotfix - KB885250 20050118.202711 (KB885250)
uninstall cmd: C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=885250

Windows XP Hotfix - KB885835 20041027.181713 (KB885835)
uninstall cmd: C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=885835

Windows XP Hotfix - KB885836 20041028.173203 (KB885836)
uninstall cmd: C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=885836

Windows XP Hotfix - KB886185 20041021.090540 (KB886185)
uninstall cmd: C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=886185

Windows XP Hotfix - KB887472 20041014.162858 (KB887472)
uninstall cmd: C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=887472

Windows XP Hotfix - KB887742 20041103.095002 (KB887742)
uninstall cmd: C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=887742

Windows XP Hotfix - KB888113 20041116.131036 (KB888113)
uninstall cmd: C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=888113

Windows XP Hotfix - KB888302 20041207.111426 (KB888302)
uninstall cmd: C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=888302

Security Update for Windows XP (KB890046) 1 (KB890046)
install date: 20050616
uninstall cmd: "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=890046

Windows XP Hotfix - KB890047 20041221.124506 (KB890047)
uninstall cmd: C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=890047

Windows XP Hotfix - KB890175 20041201.233338 (KB890175)
uninstall cmd: C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=890175

Windows XP Hotfix - KB890859 1 (KB890859)
install date: 20050415
uninstall cmd: "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=890859

Windows XP Hotfix - KB890923 1 (KB890923)
install date: 20050415
uninstall cmd: "C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=890923

Windows XP Hotfix - KB891781 20050110.165439 (KB891781)
uninstall cmd: C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
publisher: Microsoft

#21
atome

Posted 24 July 2005 - 10:01 PM

Member

Topic Starter
Member
23 posts

Forgot to post the Panda Scan results!!

Incident Status Location

Adware:adware/pacimedia No disinfected C:\WINDOWS\SYSTEM32\ps1.exe
Adware:adware/afaenhance No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/wintools No disinfected C:\WINDOWS\hisistheurls.exe
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/wupd No disinfected C:\PROGRAM FILES\AdTools Service
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\CasStub
Adware:adware/imgiant No disinfected C:\PROGRAM FILES\joystick networks
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/beginto No disinfected C:\WINDOWS\SYSTEM32\cache32_rtneg4
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ALLISON TOME\START MENU\PROGRAMS\AdDestroyer
Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/M67M.OCX
Adware:adware/novo No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CDM
Adware:adware/cws.searchmeup No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\VBRUNDLL
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Spyware:spyware/surfsidekick No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SURFSIDEKICK3
Adware:adware/delfinmedia No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\VIDCTRL
Adware:adware/weirdontheweb No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\WEIRDONTHEWEB
Spyware:spyware/istbar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\Y036
Spyware:spyware/bargainbuddy No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\BARGAINBUDDY
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
Adware:adware/bigtrafficnet No disinfected HKEY_CLASSES_ROOT\Interface\{FA6FA7A5-2C49-4567-BA74-6DD1C36099EE}
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/MediaTickets No disinfected C:\trufkz.html
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe

#22
atome

Posted 24 July 2005 - 10:04 PM

Member

Topic Starter
Member
23 posts

I also didn't remove Limewire from my computer because I have opted to not allow other users to upload songs from me ... so I have no chance of infection (right??)

Sorry for the 3 separate posts!

Allison

#23
kool808

Posted 25 July 2005 - 04:36 AM

Visiting Staff

Member
1,690 posts

Very good Allison, you did great! :tazz:

It is highly recommended that you install your HijackThis Tool in a safe location where you can easily find them. It is suggested you place them in a folder C:\HJT\, that way it could create backups necessary for future restore.

Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in HERE

Install the VX2 Cleaner
Start Ad-Aware SE
Go to "Plug-ins"
Select the VX2 Cleaner plug-in and click "Run Plugin"
If your computer isn't infected, click "Close".

If your computer is infected

Select "Clean system"
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

Reboot in SAFE MODE. (How to boot in Safe Mode...)

++++++++++++++++++++++++++++++++++++++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):

C:\PROGRAM FILES\AdTools Service <-- whole folder
C:\PROGRAM FILES\Aprps <-- whole folder
C:\PROGRAM FILES\CasStub <-- whole folder
C:\DOCUMENTS AND SETTINGS\ALLISON TOME\START MENU\PROGRAMS\AdDestroyer <-- whole folder
C:\WINDOWS\SYSTEM32\SPIDER.EXE

Finally, Empty Recycle Bin

++++++++++++++++++++++++++++++++++++++++++++
Reboot back in NORMAL MODE.

++++++++++++++++++++++++++++++++++++++++++++
Download L2mfix from one of these two locations:

Location 1: HERE
Location 2: HERE

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
++++++++++++++++++++++++++++++++++++++++++++

To make sure it is perfectly clean let us have the final check.

Close all windows, open HijackThis then SCAN.
Post a NEW HijackThis Log.
Please tell me how your system is working now.

#24
atome

Posted 25 July 2005 - 06:44 PM

Member

Topic Starter
Member
23 posts

12mfix log

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{2F603045-309F-11CF-9774-0020AFD0CFF6}"="Synaptics Control Panel"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL Included"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Mon May 2 2005 3:52:34p A.... 1,019,904 996.00 K
cdfview.dll Mon May 2 2005 3:52:34p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
hhsetup.dll Thu May 26 2005 9:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 8:46:00p A.... 254,976 249.00 K
iepeers.dll Mon May 2 2005 3:52:34p A.... 250,880 245.00 K
inseng.dll Mon May 2 2005 3:52:34p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 9:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 9:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
jmknt.dll Fri Jun 17 2005 1:19:28p A.... 98,816 96.50 K
legitc~1.dll Mon Jun 6 2005 11:29:58a A.... 459,016 448.26 K
mscms.dll Tue Jun 28 2005 8:46:00p A.... 74,240 72.50 K
mshtml.dll Mon May 2 2005 3:52:36p A.... 3,012,608 2.87 M
mshtmled.dll Mon May 2 2005 3:52:36p A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Mon May 2 2005 3:52:36p A.... 146,432 143.00 K
ole32.dll Thu Apr 28 2005 2:31:12p A.... 1,285,120 1.22 M
olecli32.dll Thu Apr 28 2005 2:31:12p A.... 74,752 73.00 K
olecnv32.dll Thu Apr 28 2005 2:31:12p A.... 37,888 37.00 K
pngfilt.dll Mon May 2 2005 3:52:36p A.... 39,424 38.50 K
rpcss.dll Thu Apr 28 2005 2:31:12p A.... 395,776 386.50 K
shdocvw.dll Mon May 2 2005 3:52:36p A.... 1,483,776 1.41 M
shlwapi.dll Mon May 2 2005 3:52:36p A.... 473,600 462.50 K
urlmon.dll Mon May 2 2005 3:52:36p A.... 607,744 593.50 K
vzknr.dll Fri Jun 17 2005 1:22:12p A.... 98,816 96.50 K
wininet.dll Mon May 2 2005 3:52:36p A.... 657,920 642.50 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xerces~1.dll Wed May 18 2005 1:22:20p A.... 2,490,368 2.38 M
xpsp3res.dll Mon May 16 2005 7:25:36p ..... 15,360 15.00 K

36 items found: 36 files, 0 directories.
Total of file sizes: 19,534,760 bytes 18.63 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 3813-8E97

Directory of C:\WINDOWS\System32

07/02/2005 08:34 AM <DIR> DLLCACHE
11/03/2004 08:42 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 22,310,526,976 bytes free

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:42:18 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\PD6000SM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\system32\PD6000SM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

System is working nicely right now!

The system was not infected when I ran VX2 cleaner
I was unable to locate C:\WINDOWS\SYSTEM32\SPIDER.EXE

I see that I have quite a few registry keys though ... not a good thing, right?

Allison

#25
kool808

Posted 25 July 2005 - 09:59 PM

Visiting Staff

Member
1,690 posts

Yes that is correct Allison your log looks great now! Good Job! One last step then we are off to malware-free system.

Click HERE to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click Killbox.exe to run it.

Select "Delete on Reboot".

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\WINDOWS\SYSTEM32\SPIDER.EXE

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Please download WebRoot SpySweeper from [ HERE ] (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directoy as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

++++++++++++++++++++++++++++++++

To make sure it is perfectly clean let us have the final check.

Close all windows, open HijackThis then SCAN.
Post a NEW HijackThis Log.
Please tell me how your system is working now.

#26
atome

Posted 26 July 2005 - 09:34 AM

Member

Topic Starter
Member
23 posts

********
10:55 AM: |··· Start of Session, Tuesday, July 26, 2005 ···|
10:55 AM: Spy Sweeper started
10:55 AM: Sweep initiated using definitions version 505
10:55 AM: Starting Memory Sweep
10:57 AM: Memory Sweep Complete, Elapsed Time: 00:02:42
10:57 AM: Starting Registry Sweep
10:57 AM: Found Adware: apropos
10:57 AM: HKLM\software\aprps\ (8 subtraces) (ID = 4364550)
10:57 AM: Found Adware: begin2search
10:57 AM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 4364964)
10:57 AM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 4364966)
10:57 AM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 4364967)
10:57 AM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 4364968)
10:57 AM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 4364979)
10:57 AM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 4364981)
10:57 AM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 4365014)
10:57 AM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 4365016)
10:57 AM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 4365017)
10:57 AM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 4365018)
10:57 AM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 4365029)
10:57 AM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 4365031)
10:57 AM: Found Adware: bookedspace
10:57 AM: HKLM\software\configuration manager\cfgmgr52\ (115 subtraces) (ID = 4365728)
10:57 AM: Found Adware: cas
10:57 AM: HKCR\clsid\{8293d547-38dd-4325-b35a-f1817edfa5fc}\ (11 subtraces) (ID = 4366237)
10:57 AM: HKU\S-1-5-21-4261558862-3284301128-1328160310-1006\software\cas\client\ (11 subtraces) (ID = 4366240)
10:57 AM: HKLM\software\classes\clsid\{8293d547-38dd-4325-b35a-f1817edfa5fc}\ (11 subtraces) (ID = 4366241)
10:57 AM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 4366244)
10:57 AM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 4366246)
10:57 AM: Found Adware: delfin
10:57 AM: HKLM\software\vidctrl\ (3 subtraces) (ID = 4385901)
10:57 AM: Found Adware: flashtrack
10:57 AM: HKCR\interface\{28168cce-5310-4f12-ab58-9da99a55aaeb}\ (8 subtraces) (ID = 4387515)
10:57 AM: HKLM\software\classes\interface\{28168cce-5310-4f12-ab58-9da99a55aaeb}\ (8 subtraces) (ID = 4387521)
10:57 AM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 4387522)
10:57 AM: HKLM\software\fen\ (7 subtraces) (ID = 4387523)
10:57 AM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 4387546)
10:57 AM: Found System Monitor: networkessentials
10:57 AM: HKLM\software\microsoft\windows\currentversion\uninstall\cdm\ (2 subtraces) (ID = 4397380)
10:57 AM: HKLM\software\novo\ (23 subtraces) (ID = 4397383)
10:57 AM: HKLM\software\np\ (2 subtraces) (ID = 4397384)
10:57 AM: Found Trojan Horse: trojan-downloader-pacisoft
10:57 AM: HKU\S-1-5-21-4261558862-3284301128-1328160310-1006\software\psof1\ (19 subtraces) (ID = 4397754)
10:57 AM: Found Adware: personal money tree
10:57 AM: HKCR\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 4398009)
10:57 AM: HKCR\clsid\{d1a3a43b-05a1-40cd-834c-053e6c03b258}\ (7 subtraces) (ID = 4398010)
10:57 AM: HKCR\comparishopper.application\ (3 subtraces) (ID = 4398011)
10:57 AM: HKLM\software\classes\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 4398012)
10:57 AM: HKLM\software\classes\clsid\{d1a3a43b-05a1-40cd-834c-053e6c03b258}\ (7 subtraces) (ID = 4398013)
10:57 AM: HKLM\software\classes\comparishopper.application\ (3 subtraces) (ID = 4398014)
10:57 AM: HKLM\software\classes\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 4398015)
10:57 AM: HKCR\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 4398018)
10:57 AM: Found Adware: quicklink search toolbar
10:57 AM: HKCR\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 4400491)
10:57 AM: HKCR\quicklinks.linktracker.1\ (3 subtraces) (ID = 4400492)
10:57 AM: HKCR\quicklinks.linktracker\ (3 subtraces) (ID = 4400493)
10:57 AM: HKCR\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 4400494)
10:57 AM: HKCR\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 4400495)
10:57 AM: HKLM\software\classes\clsid\{8b6da27e-7f64-4694-8f8f-dc87ab8c6b22}\ (8 subtraces) (ID = 4400497)
10:57 AM: HKLM\software\classes\quicklinks.linktracker.1\ (3 subtraces) (ID = 4400498)
10:57 AM: HKLM\software\classes\quicklinks.linktracker\ (3 subtraces) (ID = 4400499)
10:57 AM: HKLM\software\classes\quicklinks.quicklinksfilter.1\ (3 subtraces) (ID = 4400500)
10:57 AM: HKLM\software\classes\quicklinks.quicklinksfilter\ (3 subtraces) (ID = 4400501)
10:57 AM: HKLM\software\classes\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 4400503)
10:57 AM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 4400508)
10:57 AM: HKLM\software\ql\ (2 subtraces) (ID = 4400509)
10:57 AM: HKCR\typelib\{ea420048-2898-4110-88c3-1f660b0c7ff3}\ (9 subtraces) (ID = 4400511)
10:57 AM: Found Adware: regsync
10:57 AM: HKCR\vbrun.vbrundll.1\ (3 subtraces) (ID = 4400679)
10:57 AM: HKCR\vbrun.vbrundll\ (5 subtraces) (ID = 4400680)
10:57 AM: HKCR\clsid\{197b8ca4-e215-46dd-8f33-e0544a80e5c4}\ (11 subtraces) (ID = 4400681)
10:57 AM: HKCR\typelib\{00dc9ff2-ea77-49c7-8def-722fd81cab59}\ (9 subtraces) (ID = 4400682)
10:57 AM: HKLM\software\classes\vbrun.vbrundll.1\ (3 subtraces) (ID = 4400683)
10:57 AM: HKLM\software\classes\vbrun.vbrundll\ (5 subtraces) (ID = 4400684)
10:57 AM: HKLM\software\classes\clsid\{197b8ca4-e215-46dd-8f33-e0544a80e5c4}\ (11 subtraces) (ID = 4400685)
10:57 AM: HKLM\software\classes\typelib\{00dc9ff2-ea77-49c7-8def-722fd81cab59}\ (9 subtraces) (ID = 4400686)
10:57 AM: HKLM\software\microsoft\windows\currentversion\app paths\regsync\ (2 subtraces) (ID = 4400687)
10:57 AM: HKLM\software\microsoft\windows\currentversion\app paths\vbrundll\ (2 subtraces) (ID = 4400688)
10:57 AM: HKLM\software\microsoft\windows\currentversion\uninstall\vbrundll\ (2 subtraces) (ID = 4400689)
10:57 AM: HKLM\system\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\regsync.exe\ (1 subtraces) (ID = 4400691)
10:57 AM: Found Adware: roings search enhancment
10:57 AM: HKCR\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\ (23 subtraces) (ID = 4401370)
10:57 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\inprocserver32\ (2 subtraces) (ID = 4401418)
10:57 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\miscstatus\ (3 subtraces) (ID = 4401419)
10:57 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\progid\ (1 subtraces) (ID = 4401420)
10:57 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\toolboxbitmap32\ (1 subtraces) (ID = 4401421)
10:57 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\typelib\ (1 subtraces) (ID = 4401422)
10:57 AM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\version\ (1 subtraces) (ID = 4401423)
10:57 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/m67m.ocx\ (2 subtraces) (ID = 4401506)
10:57 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\m67m.ocx (ID = 4401535)
10:57 AM: HKLM\software\mm\ (1 subtraces) (ID = 4401547)
10:57 AM: Found Adware: searchfast
10:57 AM: HKCR\interface\{4ab7241e-0af2-47ac-a771-0fdbb7343714}\ (8 subtraces) (ID = 4402330)
10:57 AM: HKLM\software\classes\interface\{4ab7241e-0af2-47ac-a771-0fdbb7343714}\ (8 subtraces) (ID = 4402334)
10:57 AM: Found Adware: shopathomeselect
10:57 AM: HKLM\software\classes\webinstaller.cexecute.1\ (3 subtraces) (ID = 4403090)
10:57 AM: HKCR\webinstaller.cexecute.1\ (3 subtraces) (ID = 4403150)
10:57 AM: Found Adware: surfsidekick
10:57 AM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 4404918)
10:57 AM: Found Adware: abetterinternet
10:57 AM: HKLM\software\sdf7sdfgs324\ (ID = 4407786)
10:57 AM: Found Adware: weirdontheweb
10:57 AM: HKLM\software\weirdontheweb\ (18 subtraces) (ID = 4408283)
10:57 AM: HKLM\software\weirdontheweb\ || guid (ID = 4408284)
10:57 AM: HKLM\software\weirdontheweb\ || installtime (ID = 4408285)
10:57 AM: HKLM\software\weirdontheweb\ || provider (ID = 4408286)
10:57 AM: HKLM\software\weirdontheweb\config\ (11 subtraces) (ID = 4408287)
10:57 AM: HKLM\software\weirdontheweb\update\ (2 subtraces) (ID = 4408288)
10:57 AM: Found Adware: wildmedia
10:57 AM: HKCR\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 4408385)
10:57 AM: HKLM\software\classes\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 4408399)
10:57 AM: Found Adware: winad
10:57 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/adtoolsx.dll\ (2 subtraces) (ID = 4408884)
10:57 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\adtoolsx.dll (ID = 4408913)
10:57 AM: Found Adware: windows afa internet enhancement
10:57 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wafaie\ (2 subtraces) (ID = 4408979)
10:57 AM: Registry Sweep Complete, Elapsed Time:00:00:10
10:57 AM: Starting Cookie Sweep
10:57 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:58 AM: Starting File Sweep
10:58 AM: Found Trojan Horse: trojan-downloader-bookedspace
10:58 AM: c:\windows\cfgmgr52 (29 subtraces) (ID = 4124693)
10:58 AM: c:\windows\system32\vidctrl (ID = 4099233)
10:58 AM: c:\program files\quick links (2 subtraces) (ID = 4116934)
10:58 AM: Found Adware: icondroppers
10:58 AM: myurlsagain.exe (ID = 4104670)
10:58 AM: m67m.inf (ID = 4117631)
10:58 AM: hisistheurls.exe (ID = 4104671)
10:58 AM: preuninstallql.exe (ID = 4116928)
10:58 AM: uninst.exe (ID = 4116933)
10:58 AM: qbuninstaller.exe (ID = 4135464)
10:58 AM: Found Trojan Horse: trojan-downloader-mainstreamdollars
10:58 AM: btnetw3_venturahot_246765.exe (ID = 4125163)
10:58 AM: bsva-egihsg52.exe (ID = 4124683)
10:58 AM: Found Adware: purityscan
10:58 AM: shex.exe (ID = 4116742)
10:58 AM: weirdontheweb_ventura.exe (ID = 4132748)
10:59 AM: unstall.exe (ID = 4117785)
10:59 AM: Found Adware: linkmaker
10:59 AM: qldf.bin (ID = 4108050)
10:59 AM: Found Trojan Horse: trojan-downloader-traf34
10:59 AM: gsm3-0511.exe (ID = 4125479)
10:59 AM: vbuninstall.exe (ID = 4117270)
11:00 AM: Found Adware: search fast communicator toolbar
11:00 AM: communicator2.exe (ID = 4118504)
11:00 AM: Found Adware: adlogix
11:00 AM: fcs.exe (ID = 4089504)
11:00 AM: Found Adware: minigolf
11:00 AM: wildapp.inf (ID = 4112692)
11:00 AM: File Sweep Complete, Elapsed Time: 00:02:09
11:00 AM: Full Sweep has completed. Elapsed time 00:05:06
11:00 AM: Traces Found: 790
11:31 AM: Removal process initiated
11:31 AM: Quarantining All Traces: apropos
11:31 AM: Quarantining All Traces: begin2search
11:31 AM: Quarantining All Traces: bookedspace
11:31 AM: Quarantining All Traces: cas
11:31 AM: Quarantining All Traces: delfin
11:31 AM: Quarantining All Traces: flashtrack
11:31 AM: Quarantining All Traces: networkessentials
11:31 AM: Quarantining All Traces: trojan-downloader-pacisoft
11:31 AM: Quarantining All Traces: personal money tree
11:31 AM: Quarantining All Traces: quicklink search toolbar
11:31 AM: Quarantining All Traces: regsync
11:31 AM: Quarantining All Traces: roings search enhancment
11:31 AM: Quarantining All Traces: searchfast
11:31 AM: Quarantining All Traces: shopathomeselect
11:31 AM: Quarantining All Traces: surfsidekick
11:31 AM: Quarantining All Traces: abetterinternet
11:31 AM: Quarantining All Traces: weirdontheweb
11:31 AM: Quarantining All Traces: wildmedia
11:31 AM: Quarantining All Traces: winad
11:31 AM: Quarantining All Traces: windows afa internet enhancement
11:31 AM: Quarantining All Traces: trojan-downloader-bookedspace
11:31 AM: Quarantining All Traces: icondroppers
11:31 AM: Quarantining All Traces: trojan-downloader-mainstreamdollars
11:31 AM: Quarantining All Traces: purityscan
11:31 AM: Quarantining All Traces: linkmaker
11:31 AM: Quarantining All Traces: trojan-downloader-traf34
11:31 AM: Quarantining All Traces: search fast communicator toolbar
11:31 AM: Quarantining All Traces: adlogix
11:31 AM: Quarantining All Traces: minigolf
11:31 AM: Removal process completed. Elapsed time 00:00:27
********
10:54 AM: |··· Start of Session, Tuesday, July 26, 2005 ···|
10:54 AM: Spy Sweeper started
10:54 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000058
10:55 AM: |··· End of Session, Tuesday, July 26, 2005 ···|

Hijackthis Logfile

Logfile of HijackThis v1.99.1
Scan saved at 11:33:33 AM, on 7/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\PD6000SM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\system32\PD6000SM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hope this did the trick!! Thanks, again!

Allison

#27
atome

Posted 26 July 2005 - 12:36 PM

Member

Topic Starter
Member
23 posts

Dll Scan

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :tazz:

"
________________________________________________

1,503 items found: 1,502 files, 1 directory.
Total of file sizes: 320,933,016 bytes 306.06 M

Administrator Account = True

--------------------End log---------------------

RootKitRevealer Scan

C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][1].txt 7/26/2005 2:25 PM 205 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][2].txt 7/25/2005 9:57 AM 204 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Cookies\allison tome@nextag[2].txt 7/26/2005 2:25 PM 176 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][1].txt 7/26/2005 2:28 PM 112 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Cookies\allison [email protected][2].txt 7/25/2005 9:59 AM 113 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\050616_Incred_DMC05_728x90[1].jpg 7/26/2005 2:26 PM 20.27 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\160x600s[1].htm 7/26/2005 2:25 PM 3.70 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\33314[29].xml 7/26/2005 2:26 PM 1.17 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\3rdParty[1].gif 7/26/2005 2:28 PM 61 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\about_nc_off_nav[1].gif 7/26/2005 2:27 PM 608 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\access_interior[1].gif 7/26/2005 2:27 PM 2.00 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\B1214142[1].htm 7/26/2005 2:26 PM 4.28 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\B1214142[2].htm 7/26/2005 2:26 PM 4.27 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\btn_info_small[1].gif 7/26/2005 2:28 PM 53 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\btnDownloadTransactions[1].gif 7/26/2005 2:28 PM 288 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\btnHelpBread_on[1].gif 7/26/2005 2:29 PM 322 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\c[2].gif 7/26/2005 2:25 PM 42 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\color_pixel[1].gif 7/26/2005 2:28 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\d1_listing2_v1[1].gif 7/26/2005 2:25 PM 8.98 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\d1_starscope1_v1[1].gif 7/26/2005 2:25 PM 6.50 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\dailyscope[1].htm 7/26/2005 2:25 PM 9.25 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\downLoad_dat[1].gif 7/26/2005 2:28 PM 567 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\enroll_btn[1].gif 7/26/2005 2:28 PM 252 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\freepsychicreading22[1].gif 7/26/2005 2:25 PM 2.54 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\getmsg[4].htm 7/26/2005 2:24 PM 47.94 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\hmhome[2].htm 7/26/2005 2:23 PM 20.94 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\HoTMaiL[2].htm 7/26/2005 2:27 PM 29.97 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\hotmail___1000000002[2].css 7/26/2005 1:43 PM 3.31 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\i.p.error[1].gif 7/26/2005 2:27 PM 260 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\i.p.replyall.d[1].gif 7/26/2005 2:25 PM 164 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\i.p.trashempty[1].gif 7/26/2005 2:26 PM 237 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\image003[1].jpg 7/26/2005 2:24 PM 17.84 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\image003[2].jpg 7/26/2005 2:24 PM 17.96 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\image004[1].gif 7/26/2005 2:24 PM 23.10 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\image004[2].gif 7/26/2005 2:24 PM 23.33 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\index[3].htm 7/26/2005 2:09 PM 213.73 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\inNav_onlineaccess_off[1].gif 7/26/2005 2:28 PM 459 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\inNav_payservices_off[1].gif 7/26/2005 2:28 PM 525 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\isEmpty[1].js 7/26/2005 2:27 PM 352 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\lghtblue_arrow[1].gif 7/26/2005 2:27 PM 49 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\login_icon[1].gif 7/26/2005 2:27 PM 76 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\master[2].css 7/26/2005 2:25 PM 3.21 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\right_col_bg[1].gif 7/26/2005 2:28 PM 102 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\search[60].htm 7/26/2005 2:23 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\search[61].htm 7/26/2005 2:23 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\search[62].htm 7/26/2005 2:24 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\search[63].htm 7/26/2005 2:27 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\search[64].htm 7/26/2005 2:27 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\search[65].htm 7/26/2005 2:27 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\subnav_AddAccount[1].gif 7/26/2005 2:28 PM 771 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\subnav_ChangeAccountInfo[1].gif 7/26/2005 2:28 PM 753 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\subnav_CreditLineIncrease[1].gif 7/26/2005 2:28 PM 540 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\subnav_LostStolen[1].gif 7/26/2005 2:28 PM 686 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\subnav_RecurringPayment[1].gif 7/26/2005 2:28 PM 713 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\subnav_Reports[1].gif 7/26/2005 2:28 PM 372 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\012R4H67\talklive12[1].gif 7/26/2005 2:25 PM 838 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\33314[32].xml 7/26/2005 2:16 PM 1.17 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\AARP_BBDconcept2blue_160X600[1].gif 7/26/2005 2:27 PM 9.33 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\ads_BT[1].gif 7/26/2005 2:28 PM 6.01 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\btnPrintPage[1].gif 7/26/2005 2:28 PM 317 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\btnSwitchCategoryView[1].gif 7/26/2005 2:28 PM 296 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\btnTopOfPage[1].gif 7/26/2005 2:28 PM 411 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\cosmictidbit2[1].gif 7/26/2005 2:25 PM 596 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\dailyscope_hdr2[1].gif 7/26/2005 2:25 PM 3.42 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\dc[1].gif 7/26/2005 2:25 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\downLoad_qif99[1].gif 7/26/2005 2:28 PM 525 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\dujiee_0.5[1].gif 7/26/2005 2:27 PM 926 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\free_pshychic_reading2[1].gif 7/26/2005 2:25 PM 4.48 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\getmsg[2].htm 7/26/2005 2:25 PM 41.87 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\getmsg[3].htm 7/26/2005 2:26 PM 24.36 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\HoTMaiL[1] 7/26/2005 2:26 PM 6.72 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\HoTMaiL[3].htm 7/26/2005 2:27 PM 29.81 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\hotmail___1000000002[2].css 7/26/2005 2:23 PM 3.31 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\i.p.notjunk[1].gif 7/26/2005 2:26 PM 176 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\image009[1].gif 7/26/2005 2:24 PM 45.51 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\image009[2].gif 7/26/2005 2:24 PM 46.79 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\image010[1].gif 7/26/2005 2:24 PM 18.24 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\image010[2].gif 7/26/2005 2:24 PM 18.22 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\inNav_onlineaccess_on[1].gif 7/26/2005 2:29 PM 464 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\inNav_services_on[1].gif 7/26/2005 2:28 PM 643 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\login_username[1].gif 7/26/2005 2:28 PM 595 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\logo[2].gif 7/26/2005 2:28 PM 2.34 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\official_Teenpic_2499_728x90[1].gif 7/26/2005 2:23 PM 16.96 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\openNewWindow[1].js 7/26/2005 2:27 PM 1.20 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\personal_on_nav[1].gif 7/26/2005 2:27 PM 543 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search[55].htm 7/26/2005 2:25 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search[56].htm 7/26/2005 2:25 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search[57].htm 7/26/2005 2:25 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search[58].htm 7/26/2005 2:26 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search[59].htm 7/26/2005 2:27 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search[60].htm 7/26/2005 2:27 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search[61].htm 7/26/2005 2:27 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search[62].htm 7/26/2005 2:27 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\search_go_btn[1].gif 7/26/2005 2:27 PM 194 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\sign_taurus4[1].gif 7/26/2005 2:25 PM 991 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\spacer[6].gif 7/26/2005 2:28 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\subnav_ChangePasswordHints[1].gif 7/26/2005 2:28 PM 638 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\subnav_Ealerts[1].gif 7/26/2005 2:28 PM 370 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\subnav_InquiryHistory[1].gif 7/26/2005 2:28 PM 471 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\subnav_ManagePayInfo[1].gif 7/26/2005 2:28 PM 777 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\subnav_OrderChecks[1].gif 7/26/2005 2:28 PM 724 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\subnav_Statement[1].gif 7/26/2005 2:28 PM 532 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\subnav_Statement_on[1].gif 7/26/2005 2:28 PM 532 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\4HM3GHYN\white_arrow[2].gif 7/26/2005 2:27 PM 51 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\33314[51].xml 7/26/2005 2:11 PM 662 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\astrology2[1].gif 7/26/2005 2:25 PM 1.38 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\btnHelpBread[1].gif 7/26/2005 2:28 PM 328 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\Card_enroll_lg[1].gif 7/26/2005 2:28 PM 1.46 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\clear[1].gif 7/26/2005 2:27 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\CSS[2].css 7/26/2005 2:29 PM 5.00 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\d1_listing1_v1[1].gif 7/26/2005 2:25 PM 10.63 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\d1_starscope-header-email_v1[1].gif 7/26/2005 2:25 PM 9.45 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\dailyscope[1].htm 7/26/2005 2:25 PM 9.25 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\decision_support_card[1].gif 7/26/2005 2:27 PM 644 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\donotbulk9f671988[1] 7/26/2005 2:27 PM 3.09 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\donotbulk[1].htm 7/26/2005 2:27 PM 11.82 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\downLoad_scv[1].gif 7/26/2005 2:28 PM 628 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\helppane___9080000001F[1].js 7/26/2005 2:23 PM 3.75 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\helppane___9080000001F[3].js 7/26/2005 1:42 PM 3.75 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\HoTMaiL[2] 7/26/2005 2:27 PM 6.72 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\HoTMaiL[4].htm 7/26/2005 2:27 PM 29.51 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\hotmail___1000004504[2].js 7/26/2005 2:23 PM 33.33 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\i.p.attention[1].gif 7/26/2005 2:26 PM 233 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\i.p.reply.d[1].gif 7/26/2005 2:25 PM 225 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\image002[1].jpg 7/26/2005 2:24 PM 19.69 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\image002[2].jpg 7/26/2005 2:24 PM 20.20 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\image007[1].jpg 7/26/2005 2:24 PM 22.20 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\image007[2].jpg 7/26/2005 2:24 PM 22.46 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\image008[1].jpg 7/26/2005 2:24 PM 196.31 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\image008[2].jpg 7/26/2005 2:24 PM 197.51 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\index[8].htm 7/26/2005 2:23 PM 213.73 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\inNav_acctInfo_on[1].gif 7/26/2005 2:28 PM 653 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\inNav_assistance_off[1].gif 7/26/2005 2:28 PM 965 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\keen_logo_min_header3[1].gif 7/26/2005 2:25 PM 2.11 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\login_password[1].gif 7/26/2005 2:28 PM 840 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\nc[1].css 7/26/2005 2:27 PM 9.43 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\nc_logo[1].gif 7/26/2005 2:27 PM 4.04 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\pa_jessica_728x90_itw[1].gif 7/26/2005 2:27 PM 19.31 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\PCPS_CSO[1].gif 7/26/2005 2:28 PM 7.06 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\PrivacyGuard827[1].gif 7/26/2005 2:28 PM 5.44 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\reportjunkPopup[1].htm 7/26/2005 2:27 PM 1.79 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\right_col_top_corner[1].gif 7/26/2005 2:28 PM 100 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\search[47].htm 7/26/2005 2:23 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\search[48].htm 7/26/2005 2:25 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\search[49].htm 7/26/2005 2:26 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\search[50].htm 7/26/2005 2:26 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\search[51].htm 7/26/2005 2:26 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\small_business_off_nav[1].gif 7/26/2005 2:27 PM 631 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\starscope_cosmictidbit_box[1].gif 7/26/2005 2:25 PM 4.32 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\subnav_AccountSummary_on[1].gif 7/26/2005 2:28 PM 509 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\subnav_BalanceTransfer[1].gif 7/26/2005 2:28 PM 483 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\subnav_ChangeCardNickname[1].gif 7/26/2005 2:28 PM 799 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\subnav_DisputeTransaction[1].gif 7/26/2005 2:28 PM 544 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\subnav_OneTimePayment[1].gif 7/26/2005 2:28 PM 697 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\subnav_SearchTransactions[1].gif 7/26/2005 2:28 PM 562 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\subnav_ViewFaqs[1].gif 7/26/2005 2:28 PM 443 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\GP2NCPQV\table_header_corner[1].gif 7/26/2005 2:28 PM 53 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\0000000363_000000000000000203591[1].gif 7/26/2005 2:27 PM 1.22 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\0000054169_000000000000000194310[1].gif 7/26/2005 2:27 PM 1.17 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\0205_010_E_160600_A[1].gif 7/26/2005 2:26 PM 17.95 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\03207Diamond2_small[1].gif 7/26/2005 2:28 PM 6.57 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\bluestar2[1].gif 7/26/2005 2:25 PM 140 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\btnPayNow[1].gif 7/26/2005 2:28 PM 411 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\CAD0CJL9.htm 7/26/2005 2:26 PM 12.84 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\CAGLUJO9.swf 7/26/2005 2:25 PM 30.26 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\Card_services_lg[1].gif 7/26/2005 2:28 PM 843 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\corporate_off_nav[1].gif 7/26/2005 2:27 PM 1.25 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\cs_squares[1].gif 7/26/2005 2:27 PM 72 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\CSS[1].css 7/26/2005 2:29 PM 5.86 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\d1_listing3_v1[1].gif 7/26/2005 2:25 PM 9.55 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\d1_starscope2_v1[1].gif 7/26/2005 2:25 PM 6.61 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\enusso35[1].gif 7/26/2005 2:25 PM 1.35 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\exNav_logoff_off[1].gif 7/26/2005 2:28 PM 394 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\footer_lock[1].gif 7/26/2005 2:28 PM 188 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\functions[1].js 7/26/2005 2:25 PM 3.55 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\HoTMaiL[2] 7/26/2005 2:27 PM 6.08 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\HoTMaiL[3].htm 7/26/2005 2:23 PM 34.63 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\HoTMaiL[4].htm 7/26/2005 2:25 PM 34.62 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\HoTMaiL[5].htm 7/26/2005 2:26 PM 30.28 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\HoTMaiL[6].htm 7/26/2005 2:27 PM 26.56 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\hotmail___1000004504[2].js 7/26/2005 1:43 PM 33.33 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\i.p.solidrightarrow[1].gif 7/26/2005 2:25 PM 50 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\image001[2].gif 7/26/2005 2:24 PM 23.26 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\image005[1].jpg 7/26/2005 2:24 PM 65.19 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\image005[2].jpg 7/26/2005 2:24 PM 65.27 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\image006[1].jpg 7/26/2005 2:24 PM 27.72 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\image006[2].jpg 7/26/2005 2:24 PM 28.00 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\inNav_payservices_on[1].gif 7/26/2005 2:28 PM 531 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\inNav_services_off[1].gif 7/26/2005 2:28 PM 687 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\lghtBlue_arrow[1].gif 7/26/2005 2:28 PM 49 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\lmb_lre_50stscolorbulbbrd15sec_0705_728x90[1].gif 7/26/2005 2:26 PM 19.58 KB Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\login_go_btn[1].gif 7/26/2005 2:27 PM 673 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\search[55].htm 7/26/2005 2:23 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\search[56].htm 7/26/2005 2:23 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\search[57].htm 7/26/2005 2:25 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\search[58].htm 7/26/2005 2:27 PM 14 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\spacer[3].gif 7/26/2005 2:28 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\subnav5_bot_shadow[1].gif 7/26/2005 2:28 PM 61 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\subnav_AccountSummary[1].gif 7/26/2005 2:28 PM 509 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\subnav_AddAuthorized[1].gif 7/26/2005 2:28 PM 559 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\subnav_bot_shadow[1].gif 7/26/2005 2:28 PM 60 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\subnav_ChangePassword[1].gif 7/26/2005 2:28 PM 535 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\subnav_DisableOnlineAccess[1].gif 7/26/2005 2:28 PM 788 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\subnav_PaymentHistory[1].gif 7/26/2005 2:28 PM 504 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\subnav_ServiceInquiry[1].gif 7/26/2005 2:28 PM 482 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\talklive11[1].gif 7/26/2005 2:25 PM 992 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\todaysforecast2[1].gif 7/26/2005 2:25 PM 892 bytes Hidden from Windows API.
C:\Documents and Settings\Allison Tome\Local Settings\Temporary Internet Files\Content.IE5\SHAFK9EB\validateGlobalSearchForm[1].js 7/26/2005 2:27 PM 1.27 KB Hidden from Windows API.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP233\A0025145.lnk 7/6/2005 12:24 PM 1.47 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 7/26/2005 2:06 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.

#28
kool808

Posted 27 July 2005 - 04:48 AM

Visiting Staff

Member
1,690 posts

Looking good, looking good..... you just did it, you did a great job Allison! But before we go to prevention let us have the final run

Now run CleanUp. When you click the Close button you will be prompted to reboot, agree to it.

You can now uninstall / remove these programs:

l2mfix
killbox
spysweeper (trial)
dll compare
silent runners
winpfind
track qoo

:yes:

Congratulations!

your system is CLEAN!

WinXP Reset & All-Clean1

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

and a good antivirus (these are also free for personal use):

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

#29
atome

Posted 27 July 2005 - 04:00 PM

Member

Topic Starter
Member
23 posts

Thank you so much for your help! I appreciate the time you spent figuring out my malware/spyware problem. Last question ... Ewido is only a limited time free trial ... should I uninstall it now, or wait until it runs out on me?

Thanks again,
Allison

#30
kool808

Posted 27 July 2005 - 05:02 PM

Visiting Staff

Member
1,690 posts

Ewido is indeed a very good program however it has only a trial period. It depends to you if you would like to buy it or just uninstall it after the expiration.

Glad we could help you. :tazz:

Regards,

kool808