Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT-Chucker07


  • Please log in to reply
11 replies to this topic

#1 chucker07

chucker07

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 12 March 2005 - 05:34 PM

My browser was recently highjacked by about blank but has changed to Hotoffers. My desktop now has a topspyware.com add posted on it and web pages are always changing to res://lqzhx.dll/http_404.htm.

Spybot and Ad-Aware have been run.

Help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:03:48 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sdkzu.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\system32\isvutcat.exe
C:\WINDOWS\system32\ipjc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Charles Butler\Desktop\Downloads\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\gcdef.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A1AE6514-7CAC-E83C-FA39-EA959372821A} - C:\WINDOWS\system32\iexg32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [CA9B52DB] C:\WINDOWS\system32\C3Adslrsv.exe
O4 - HKLM\..\Run: [89517F0B] C:\WINDOWS\system32\isvutcat.exe
O4 - HKLM\..\Run: [B16CC54E] C:\WINDOWS\system32\adstmp.exe
O4 - HKLM\..\Run: [FC6018FE] C:\WINDOWS\system32\Diwavl3d3.exe
O4 - HKLM\..\Run: [B7CFDC46] C:\WINDOWS\system32\pheronet.exe
O4 - HKLM\..\Run: [4492FF76] C:\WINDOWS\system32\dxxsrvter.exe
O4 - HKLM\..\Run: [B461C44E] C:\WINDOWS\system32\3dvvcd.exe
O4 - HKLM\..\Run: [843AFC8B] C:\WINDOWS\system32\api3trac.exe
O4 - HKLM\..\Run: [882E7CE3] C:\WINDOWS\system32\wsmpbbj.exe
O4 - HKLM\..\Run: [AEC252EE] C:\WINDOWS\system32\amonsld.exe
O4 - HKLM\..\Run: [A5C75E8B] C:\WINDOWS\system32\cnoavwam.exe
O4 - HKLM\..\Run: [E1151CEE] C:\WINDOWS\system32\bviomdl.exe
O4 - HKLM\..\Run: [D7C05B43] C:\WINDOWS\system32\pvDDBNMV.exe
O4 - HKLM\..\Run: [BAB3146E] C:\WINDOWS\system32\aamoreo32.exe
O4 - HKLM\..\Run: [EFA609E3] C:\WINDOWS\system32\clevifi.exe
O4 - HKLM\..\Run: [BCBAE246] C:\WINDOWS\system32\trelowar.exe
O4 - HKLM\..\Run: [F997B4EB] C:\WINDOWS\system32\ediadsl.exe
O4 - HKLM\..\Run: [CE1926DE] C:\WINDOWS\system32\srvatsiadm.exe
O4 - HKLM\..\Run: [9D1AE363] C:\WINDOWS\system32\terckbo.exe
O4 - HKLM\..\Run: [BC4D147E] C:\WINDOWS\system32\res2e.exe
O4 - HKLM\..\Run: [A1555BF3] C:\WINDOWS\system32\TItivctrs.exe
O4 - HKLM\..\Run: [F6AD0C66] C:\WINDOWS\system32\i32ert.exe
O4 - HKLM\..\Run: [FA65D06E] C:\WINDOWS\system32\ad3d2avcl.exe
O4 - HKLM\..\Run: [F6E278CB] C:\WINDOWS\system32\tiaptiii.exe
O4 - HKLM\..\Run: [90338086] C:\WINDOWS\system32\to4wsewTDev.exe
O4 - HKLM\..\Run: [E164FE63] C:\WINDOWS\system32\ctivrxy.exe
O4 - HKLM\..\Run: [9D585EFB] C:\WINDOWS\system32\tivDD.exe
O4 - HKLM\..\Run: [1C7D106E] C:\WINDOWS\system32\vtmetat.exe
O4 - HKLM\..\Run: [A3D81986] C:\WINDOWS\system32\svdsnlxx.exe
O4 - HKLM\..\Run: [DD9D947E] C:\WINDOWS\system32\tiiicnepl.exe
O4 - HKLM\..\Run: [0C8A6E56] C:\WINDOWS\system32\ldptifg32.exe
O4 - HKLM\..\Run: [4979F666] C:\WINDOWS\system32\ediupod.exe
O4 - HKLM\..\Run: [ACBA7A83] C:\WINDOWS\system32\md53exvc.exe
O4 - HKLM\..\Run: [8CB89176] C:\WINDOWS\system32\cfcno.exe
O4 - HKLM\..\Run: [DC6EF10B] C:\WINDOWS\system32\ismetk32.exe
O4 - HKLM\..\Run: [B47A10CE] C:\WINDOWS\system32\srvpco.exe
O4 - HKLM\..\Run: [0B6E6DE6] C:\WINDOWS\system32\dptdsms.exe
O4 - HKLM\..\Run: [0B196E66] C:\WINDOWS\system32\truthEU.exe
O4 - HKLM\..\Run: [F7CA34CB] C:\WINDOWS\system32\pcuptitv.exe
O4 - HKLM\..\Run: [4962186E] C:\WINDOWS\system32\luiesrv.exe
O4 - HKLM\..\Run: [9DB3BC7B] C:\WINDOWS\system32\tiapi.exe
O4 - HKLM\..\Run: [DC79C0DB] C:\WINDOWS\system32\advpphe.exe
O4 - HKLM\..\Run: [DE8EF466] C:\WINDOWS\system32\exxlbca.exe
O4 - HKLM\..\Run: [A075854B] C:\WINDOWS\system32\ctxios.exe
O4 - HKLM\..\Run: [E9AE5D5E] C:\WINDOWS\system32\atmmetNMV.exe
O4 - HKLM\..\Run: [A76F8F66] C:\WINDOWS\system32\i32thz.exe
O4 - HKLM\..\Run: [8B5C96DE] C:\WINDOWS\system32\C3APcco32.exe
O4 - HKLM\..\Run: [86D74283] C:\WINDOWS\system32\luipph.exe
O4 - HKLM\..\Run: [AC30CDC3] C:\WINDOWS\system32\acc2dva.exe
O4 - HKLM\..\Run: [912C34E3] C:\WINDOWS\system32\odiscap.exe
O4 - HKLM\..\Run: [FA333CD3] C:\WINDOWS\system32\C3Aauthamoc.exe
O4 - HKLM\..\Run: [DA185483] C:\WINDOWS\system32\monBCo.exe
O4 - HKLM\..\Run: [B1F2BEEE] C:\WINDOWS\system32\upssi.exe
O4 - HKLM\..\Run: [4A3254EE] C:\WINDOWS\system32\dvlrsvthz.exe
O4 - HKLM\..\Run: [496A6CEE] C:\WINDOWS\system32\eteesrv.exe
O4 - HKLM\..\Run: [C8CDFC56] C:\WINDOWS\system32\cabamoptdl.exe
O4 - HKLM\..\Run: [B97260DB] C:\WINDOWS\system32\titvter.exe
O4 - HKLM\..\Run: [82D5114E] C:\WINDOWS\system32\sldi33d1a.exe
O4 - HKLM\..\Run: [FC979D6B] C:\WINDOWS\system32\APIadsl.exe
O4 - HKLM\..\Run: [AD8FDD76] C:\WINDOWS\system32\eamla.exe
O4 - HKLM\..\Run: [BE3CFF73] C:\WINDOWS\system32\edsdsld2d.exe
O4 - HKLM\..\Run: [D1E8B1F3] C:\WINDOWS\system32\4scluti3d.exe
O4 - HKLM\..\Run: [C0CF0ECE] C:\WINDOWS\system32\trtmpv.exe
O4 - HKLM\..\Run: [931905C6] C:\WINDOWS\system32\idabin.exe
O4 - HKLM\..\Run: [BF71A166] C:\WINDOWS\system32\svctiadmi.exe
O4 - HKLM\..\Run: [EB07BD43] C:\WINDOWS\system32\pcDDCfrg.exe
O4 - HKLM\..\Run: [8995A066] C:\WINDOWS\system32\ogtiesr.exe
O4 - HKLM\..\Run: [D16F454E] C:\WINDOWS\system32\ldpond.exe
O4 - HKLM\..\Run: [B16E4683] C:\WINDOWS\system32\luomre.exe
O4 - HKLM\..\Run: [F3779066] C:\WINDOWS\system32\532ive.exe
O4 - HKLM\..\Run: [D4670E06] C:\WINDOWS\system32\WSEmut.exe
O4 - HKLM\..\Run: [995A5EFB] C:\WINDOWS\system32\tired.exe
O4 - HKLM\..\Run: [B47F840E] C:\WINDOWS\system32\auvifi.exe
O4 - HKLM\..\Run: [B0884656] C:\WINDOWS\system32\aacdnfg3d3.exe
O4 - HKLM\..\Run: [A1DB38F3] C:\WINDOWS\system32\vxxwa.exe
O4 - HKLM\..\Run: [D62B710B] C:\WINDOWS\system32\APresthz.exe
O4 - HKLM\..\Run: [FC6647CB] C:\WINDOWS\system32\moclueam.exe
O4 - HKLM\..\Run: [E1C2556B] C:\WINDOWS\system32\atmfspl.exe
O4 - HKLM\..\Run: [AB1D7103] C:\WINDOWS\system32\dsmsesrv.exe
O4 - HKLM\..\Run: [A9E64E83] C:\WINDOWS\system32\motifiie.exe
O4 - HKLM\..\Run: [F66E47CB] C:\WINDOWS\system32\pvcntvid.exe
O4 - HKLM\..\Run: [1BA2BB4E] C:\WINDOWS\system32\tivvpt32.exe
O4 - HKLM\..\Run: [C3639186] C:\WINDOWS\system32\amdti3.exe
O4 - HKLM\..\Run: [DBD3BA63] C:\WINDOWS\system32\3dsvimuti.exe
O4 - HKLM\..\Run: [ipjc.exe] C:\WINDOWS\system32\ipjc.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [D90B38F6] C:\WINDOWS\system32\edsndview.exe
O4 - HKLM\..\Run: [495C48F6] C:\WINDOWS\system32\iopat.exe
O4 - HKLM\..\Run: [FBCE3DC3] C:\WINDOWS\system32\ccttemon.exe
O4 - HKLM\..\Run: [068C1186] C:\WINDOWS\system32\wsecaxof.exe
O4 - HKLM\..\Run: [96014546] C:\WINDOWS\system32\o4aclu.exe
O4 - HKLM\..\Run: [E043B77E] C:\WINDOWS\system32\tipctrsl32.exe
O4 - HKLM\..\Run: [D8CEEEC6] C:\WINDOWS\system32\o3pnhsen.exe
O4 - HKLM\..\Run: [5DA17256] C:\WINDOWS\system32\aaamluitrea.exe
O4 - HKLM\..\Run: [CBD04D0E] C:\WINDOWS\system32\kctrow.exe
O4 - HKLM\..\Run: [80079A0E] C:\WINDOWS\system32\tipdtm.exe
O4 - HKLM\..\Run: [D59B580B] C:\WINDOWS\system32\vtmerter.exe
O4 - HKLM\..\Run: [C1B8C206] C:\WINDOWS\system32\2edapi.exe
O4 - HKLM\..\Run: [81C30D83] C:\WINDOWS\system32\acimis.exe
O4 - HKLM\..\Run: [DA9D06E6] C:\WINDOWS\system32\sntidis.exe
O4 - HKLM\..\Run: [EC8EFFFE] C:\WINDOWS\system32\diendmdlg.exe
O4 - HKLM\..\Run: [D2280C6B] C:\WINDOWS\system32\atrx3tex.exe
O4 - HKLM\..\Run: [AAEFECFE] C:\WINDOWS\system32\tichkiskc.exe
O4 - HKLM\..\Run: [D513844E] C:\WINDOWS\system32\3duaat.exe
O4 - HKLM\..\Run: [B182C0E3] C:\WINDOWS\system32\clro2dva.exe
O4 - HKLM\..\Run: [F90EBFFE] C:\WINDOWS\system32\DDCmf.exe
O4 - HKLM\..\Run: [F53C50C6] C:\WINDOWS\system32\mon2al3dan.exe
O4 - HKLM\..\Run: [F46D0ACE] C:\WINDOWS\system32\xpri32.exe
O4 - HKLM\..\Run: [93D8B94E] C:\WINDOWS\system32\lxtvo3.exe
O4 - HKLM\..\Run: [CEBCF1C6] C:\WINDOWS\system32\dxxti3ti.exe
O4 - HKLM\..\Run: [5E028E5E] C:\WINDOWS\system32\tittivv.exe
O4 - HKLM\..\Run: [E1C55746] C:\WINDOWS\system32\svcfopol.exe
O4 - HKLM\..\Run: [95DF5DF3] C:\WINDOWS\system32\tmlnuqM47.exe
O4 - HKLM\..\Run: [8A8C40CB] C:\WINDOWS\system32\6tcnvica.exe
O4 - HKLM\..\Run: [DDCDA053] C:\WINDOWS\system32\C3APtrmond.exe
O4 - HKLM\..\Run: [88860EDE] C:\WINDOWS\system32\acdsmsrx2.exe
O4 - HKLM\..\Run: [D02298C3] C:\WINDOWS\system32\dsipcexx.exe
O4 - HKLM\..\Run: [D9B6D6C6] C:\WINDOWS\system32\aclph3d1.exe
O4 - HKLM\..\Run: [F11A0EE3] C:\WINDOWS\system32\3d2alib.exe
O4 - HKLM\..\Run: [B0869BFE] C:\WINDOWS\system32\extsvards.exe
O4 - HKLM\..\Run: [ECBB6DC3] C:\WINDOWS\system32\vcelcbmg.exe
O4 - HKLM\..\Run: [AB29B876] C:\WINDOWS\system32\d5adsliie.exe
O4 - HKLM\..\Run: [82AB44CE] C:\WINDOWS\system32\ldpcat.exe
O4 - HKLM\..\Run: [860CC04E] C:\WINDOWS\system32\ldpads.exe
O4 - HKLM\..\Run: [93D78DF6] C:\WINDOWS\system32\to4cnoace.exe
O4 - HKLM\..\Run: [B36F380E] C:\WINDOWS\system32\tivmfd.exe
O4 - HKLM\..\Run: [97DAC64E] C:\WINDOWS\system32\dvtivv.exe
O4 - HKLM\..\Run: [8FACD0F3] C:\WINDOWS\system32\troVSsseq.exe
O4 - HKLM\..\Run: [801AC243] C:\WINDOWS\system32\udiatm.exe
O4 - HKLM\..\Run: [5F1B79C6] C:\WINDOWS\system32\6to4i32.exe
O4 - HKLM\..\Run: [1A0FD2F6] C:\WINDOWS\system32\mog32.exe
O4 - HKLM\..\Run: [03980646] C:\WINDOWS\system32\vtmxvi.exe
O4 - HKLM\..\Run: [F3D89C86] C:\WINDOWS\system32\rxycnace.exe
O4 - HKLM\..\Run: [0B350C6E] C:\WINDOWS\system32\aaadext.exe
O4 - HKLM\..\Run: [E47B8D46] C:\WINDOWS\system32\dpfile.exe
O4 - HKLM\..\Run: [9F3108E3] C:\WINDOWS\system32\rorcdra.exe
O4 - HKLM\..\Run: [B1AC1AEE] C:\WINDOWS\system32\APdsn.exe
O4 - HKLM\..\Run: [500C8AE6] C:\WINDOWS\system32\rsetiti.exe
O4 - HKLM\..\Run: [91415F73] C:\WINDOWS\system32\tinetapes.exe
O4 - HKLM\..\Run: [BBFF98E6] C:\WINDOWS\system32\brofvieew.exe
O4 - HKLM\..\Run: [A9EE3FCB] C:\WINDOWS\system32\helpvip3.exe
O4 - HKLM\..\Run: [C38674D3] C:\WINDOWS\system32\lxxctpsss.exe
O4 - HKLM\..\Run: [E7124F8B] C:\WINDOWS\system32\sfeisxio.exe
O4 - HKLM\..\Run: [55CF5406] C:\WINDOWS\system32\compdi.exe
O4 - HKLM\..\Run: [8CC291E3] C:\WINDOWS\system32\C3APpcu.exe
O4 - HKLM\..\Run: [F2B3988B] C:\WINDOWS\system32\rx3atsem.exe
O4 - HKLM\..\Run: [9899B8E3] C:\WINDOWS\system32\dsncdfv.exe
O4 - HKLM\..\Run: [B16AC40E] C:\WINDOWS\system32\resldp.exe
O4 - HKLM\..\Run: [8CB79CF6] C:\WINDOWS\system32\dvavm.exe
O4 - HKLM\..\Run: [D77B0943] C:\WINDOWS\system32\tvirow.exe
O4 - HKLM\..\Run: [416B8E06] C:\WINDOWS\system32\acllui.exe
O4 - HKLM\..\Run: [C7C5B806] C:\WINDOWS\system32\tiatgn.exe
O4 - HKLM\..\Run: [A0DA0B5B] C:\WINDOWS\system32\kctrtex.exe
O4 - HKLM\..\Run: [8C5FD676] C:\WINDOWS\system32\sfsvw.exe
O4 - HKLM\..\Run: [CB921566] C:\WINDOWS\system32\ctti2cdrt.exe
O4 - HKLM\..\Run: [CDCCBC56] C:\WINDOWS\system32\vvaxaptiodm.exe
O4 - HKLM\..\Run: [1BD71D66] C:\WINDOWS\system32\pphetml.exe
O4 - HKLM\..\Run: [A7EA3946] C:\WINDOWS\system32\d5troldi.exe
O4 - HKLM\..\Run: [10730E86] C:\WINDOWS\system32\aalrsv.exe
O4 - HKLM\..\Run: [42387866] C:\WINDOWS\system32\dosydui3d8.exe
O4 - HKLM\..\Run: [B6E00EE3] C:\WINDOWS\system32\edti2efa.exe
O4 - HKLM\..\Run: [93DC464E] C:\WINDOWS\system32\6tti2e.exe
O4 - HKLM\..\Run: [8C2D35EE] C:\WINDOWS\system32\dvileat.exe
O4 - HKLM\..\Run: [54E414CE] C:\WINDOWS\system32\edidpeam.exe
O4 - HKLM\..\Run: [B912486E] C:\WINDOWS\system32\ctisntlrs.exe
O4 - HKLM\..\Run: [C23331C6] C:\WINDOWS\system32\dpctiatm.exe
O4 - HKLM\..\Run: [836E9303] C:\WINDOWS\system32\couidnet.exe
O4 - HKLM\..\Run: [58C3916E] C:\WINDOWS\system32\aaadrse.exe
O4 - HKLM\..\Run: [8CB99C76] C:\WINDOWS\system32\dvaro.exe
O4 - HKLM\..\Run: [A3179A66] C:\WINDOWS\system32\cldmpatif.exe
O4 - HKLM\..\Run: [vmtune] %SystemRoot%\system32\gdlib.exe
O4 - HKLM\..\Run: [B00E11C6] C:\WINDOWS\system32\elccio.exe
O4 - HKLM\..\Run: [DB60FEDB] C:\WINDOWS\system32\C3xprmd.exe
O4 - HKLM\..\Run: [CEDDBB0E] C:\WINDOWS\system32\i32ambatm.exe
O4 - HKLM\..\Run: [92A00EE3] C:\WINDOWS\system32\cluiliser.exe
O4 - HKLM\..\Run: [1CAF9656] C:\WINDOWS\system32\d53nd2dva.exe
O4 - HKLM\..\Run: [CF83C1C6] C:\WINDOWS\system32\advdptilxx.exe
O4 - HKLM\..\Run: [4FD4FC66] C:\WINDOWS\system32\dwnetk3.exe
O4 - HKLM\..\Run: [A8B57C4B] C:\WINDOWS\system32\tviptsvi.exe
O4 - HKLM\..\Run: [9B0D6246] C:\WINDOWS\system32\dspllti2.exe
O4 - HKLM\..\Run: [9CB8DB03] C:\WINDOWS\system32\odbtvofil3.exe
O4 - HKLM\..\Run: [D6271403] C:\WINDOWS\system32\tivieend.exe
O4 - HKLM\..\Run: [9083076E] C:\WINDOWS\system32\pawhbid.exe
O4 - HKLM\..\Run: [DB7AAF66] C:\WINDOWS\system32\ertivic.exe
O4 - HKLM\..\Run: [DA34C9E6] C:\WINDOWS\system32\amTIDat.exe
O4 - HKLM\..\Run: [D021EC83] C:\WINDOWS\system32\ctrrovceng.exe
O4 - HKLM\..\Run: [E599410E] C:\WINDOWS\system32\2evxii.exe
O4 - HKLM\..\Run: [C30CC6C6] C:\WINDOWS\system32\edadsn.exe
O4 - HKLM\..\Run: [FE91B0CB] C:\WINDOWS\system32\53ndpvut.exe
O4 - HKLM\..\Run: [B8BA31F3] C:\WINDOWS\system32\axxitobxof.exe
O4 - HKLM\..\Run: [9934C063] C:\WINDOWS\system32\vgwsecd.exe
O4 - HKLM\..\Run: [0B359866] C:\WINDOWS\system32\uaitext.exe
O4 - HKLM\..\Run: [AA60E5E6] C:\WINDOWS\system32\omrnput.exe
O4 - HKLM\..\Run: [AD00546B] C:\WINDOWS\system32\teobjrt.exe
O4 - HKLM\..\Run: [8CAE5C76] C:\WINDOWS\system32\dvbro.exe
O4 - HKLM\..\Run: [D083EEE3] C:\WINDOWS\system32\wsewapt.exe
O4 - HKLM\..\Run: [A9AD577E] C:\WINDOWS\system32\padin.exe
O4 - HKLM\..\Run: [8EAE9BFB] C:\WINDOWS\system32\vplbasads.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CA9B52DB] C:\WINDOWS\system32\C3Adslrsv.exe
O4 - HKCU\..\Run: [B7CFDC46] C:\WINDOWS\system32\pheronet.exe
O4 - HKCU\..\Run: [FC6018FE] C:\WINDOWS\system32\Diwavl3d3.exe
O4 - HKCU\..\Run: [B16CC54E] C:\WINDOWS\system32\adstmp.exe
O4 - HKCU\..\Run: [4492FF76] C:\WINDOWS\system32\dxxsrvter.exe
O4 - HKCU\..\Run: [89517F0B] C:\WINDOWS\system32\isvutcat.exe
O4 - HKCU\..\Run: [B461C44E] C:\WINDOWS\system32\3dvvcd.exe
O4 - HKCU\..\Run: [843AFC8B] C:\WINDOWS\system32\api3trac.exe
O4 - HKCU\..\Run: [882E7CE3] C:\WINDOWS\system32\wsmpbbj.exe
O4 - HKCU\..\Run: [AEC252EE] C:\WINDOWS\system32\amonsld.exe
O4 - HKCU\..\Run: [E1151CEE] C:\WINDOWS\system32\bviomdl.exe
O4 - HKCU\..\Run: [A5C75E8B] C:\WINDOWS\system32\cnoavwam.exe
O4 - HKCU\..\Run: [D7C05B43] C:\WINDOWS\system32\pvDDBNMV.exe
O4 - HKCU\..\Run: [BAB3146E] C:\WINDOWS\system32\aamoreo32.exe
O4 - HKCU\..\Run: [EFA609E3] C:\WINDOWS\system32\clevifi.exe
O4 - HKCU\..\Run: [BCBAE246] C:\WINDOWS\system32\trelowar.exe
O4 - HKCU\..\Run: [F997B4EB] C:\WINDOWS\system32\ediadsl.exe
O4 - HKCU\..\Run: [CE1926DE] C:\WINDOWS\system32\srvatsiadm.exe
O4 - HKCU\..\Run: [9D1AE363] C:\WINDOWS\system32\terckbo.exe
O4 - HKCU\..\Run: [BC4D147E] C:\WINDOWS\system32\res2e.exe
O4 - HKCU\..\Run: [A1555BF3] C:\WINDOWS\system32\TItivctrs.exe
O4 - HKCU\..\Run: [F6AD0C66] C:\WINDOWS\system32\i32ert.exe
O4 - HKCU\..\Run: [FA65D06E] C:\WINDOWS\system32\ad3d2avcl.exe
O4 - HKCU\..\Run: [90338086] C:\WINDOWS\system32\to4wsewTDev.exe
O4 - HKCU\..\Run: [F6E278CB] C:\WINDOWS\system32\tiaptiii.exe
O4 - HKCU\..\Run: [E164FE63] C:\WINDOWS\system32\ctivrxy.exe
O4 - HKCU\..\Run: [9D585EFB] C:\WINDOWS\system32\tivDD.exe
O4 - HKCU\..\Run: [1C7D106E] C:\WINDOWS\system32\vtmetat.exe
O4 - HKCU\..\Run: [A3D81986] C:\WINDOWS\system32\svdsnlxx.exe
O4 - HKCU\..\Run: [DD9D947E] C:\WINDOWS\system32\tiiicnepl.exe
O4 - HKCU\..\Run: [0C8A6E56] C:\WINDOWS\system32\ldptifg32.exe
O4 - HKCU\..\Run: [4979F666] C:\WINDOWS\system32\ediupod.exe
O4 - HKCU\..\Run: [ACBA7A83] C:\WINDOWS\system32\md53exvc.exe
O4 - HKCU\..\Run: [8CB89176] C:\WINDOWS\system32\cfcno.exe
O4 - HKCU\..\Run: [DC6EF10B] C:\WINDOWS\system32\ismetk32.exe
O4 - HKCU\..\Run: [B47A10CE] C:\WINDOWS\system32\srvpco.exe
O4 - HKCU\..\Run: [0B6E6DE6] C:\WINDOWS\system32\dptdsms.exe
O4 - HKCU\..\Run: [0B196E66] C:\WINDOWS\system32\truthEU.exe
O4 - HKCU\..\Run: [4962186E] C:\WINDOWS\system32\luiesrv.exe
O4 - HKCU\..\Run: [F7CA34CB] C:\WINDOWS\system32\pcuptitv.exe
O4 - HKCU\..\Run: [9DB3BC7B] C:\WINDOWS\system32\tiapi.exe
O4 - HKCU\..\Run: [DC79C0DB] C:\WINDOWS\system32\advpphe.exe
O4 - HKCU\..\Run: [DE8EF466] C:\WINDOWS\system32\exxlbca.exe
O4 - HKCU\..\Run: [A075854B] C:\WINDOWS\system32\ctxios.exe
O4 - HKCU\..\Run: [E9AE5D5E] C:\WINDOWS\system32\atmmetNMV.exe
O4 - HKCU\..\Run: [A76F8F66] C:\WINDOWS\system32\i32thz.exe
O4 - HKCU\..\Run: [8B5C96DE] C:\WINDOWS\system32\C3APcco32.exe
O4 - HKCU\..\Run: [86D74283] C:\WINDOWS\system32\luipph.exe
O4 - HKCU\..\Run: [AC30CDC3] C:\WINDOWS\system32\acc2dva.exe
O4 - HKCU\..\Run: [912C34E3] C:\WINDOWS\system32\odiscap.exe
O4 - HKCU\..\Run: [FA333CD3] C:\WINDOWS\system32\C3Aauthamoc.exe
O4 - HKCU\..\Run: [DA185483] C:\WINDOWS\system32\monBCo.exe
O4 - HKCU\..\Run: [B1F2BEEE] C:\WINDOWS\system32\upssi.exe
O4 - HKCU\..\Run: [4A3254EE] C:\WINDOWS\system32\dvlrsvthz.exe
O4 - HKCU\..\Run: [496A6CEE] C:\WINDOWS\system32\eteesrv.exe
O4 - HKCU\..\Run: [C8CDFC56] C:\WINDOWS\system32\cabamoptdl.exe
O4 - HKCU\..\Run: [B97260DB] C:\WINDOWS\system32\titvter.exe
O4 - HKCU\..\Run: [82D5114E] C:\WINDOWS\system32\sldi33d1a.exe
O4 - HKCU\..\Run: [FC979D6B] C:\WINDOWS\system32\APIadsl.exe
O4 - HKCU\..\Run: [AD8FDD76] C:\WINDOWS\system32\eamla.exe
O4 - HKCU\..\Run: [BE3CFF73] C:\WINDOWS\system32\edsdsld2d.exe
O4 - HKCU\..\Run: [D1E8B1F3] C:\WINDOWS\system32\4scluti3d.exe
O4 - HKCU\..\Run: [C0CF0ECE] C:\WINDOWS\system32\trtmpv.exe
O4 - HKCU\..\Run: [931905C6] C:\WINDOWS\system32\idabin.exe
O4 - HKCU\..\Run: [BF71A166] C:\WINDOWS\system32\svctiadmi.exe
O4 - HKCU\..\Run: [EB07BD43] C:\WINDOWS\system32\pcDDCfrg.exe
O4 - HKCU\..\Run: [8995A066] C:\WINDOWS\system32\ogtiesr.exe
O4 - HKCU\..\Run: [D16F454E] C:\WINDOWS\system32\ldpond.exe
O4 - HKCU\..\Run: [B16E4683] C:\WINDOWS\system32\luomre.exe
O4 - HKCU\..\Run: [F3779066] C:\WINDOWS\system32\532ive.exe
O4 - HKCU\..\Run: [D4670E06] C:\WINDOWS\system32\WSEmut.exe
O4 - HKCU\..\Run: [995A5EFB] C:\WINDOWS\system32\tired.exe
O4 - HKCU\..\Run: [B47F840E] C:\WINDOWS\system32\auvifi.exe
O4 - HKCU\..\Run: [B0884656] C:\WINDOWS\system32\aacdnfg3d3.exe
O4 - HKCU\..\Run: [A1DB38F3] C:\WINDOWS\system32\vxxwa.exe
O4 - HKCU\..\Run: [D62B710B] C:\WINDOWS\system32\APresthz.exe
O4 - HKCU\..\Run: [FC6647CB] C:\WINDOWS\system32\moclueam.exe
O4 - HKCU\..\Run: [E1C2556B] C:\WINDOWS\system32\atmfspl.exe
O4 - HKCU\..\Run: [AB1D7103] C:\WINDOWS\system32\dsmsesrv.exe
O4 - HKCU\..\Run: [A9E64E83] C:\WINDOWS\system32\motifiie.exe
O4 - HKCU\..\Run: [F66E47CB] C:\WINDOWS\system32\pvcntvid.exe
O4 - HKCU\..\Run: [1BA2BB4E] C:\WINDOWS\system32\tivvpt32.exe
O4 - HKCU\..\Run: [C3639186] C:\WINDOWS\system32\amdti3.exe
O4 - HKCU\..\Run: [DBD3BA63] C:\WINDOWS\system32\3dsvimuti.exe
O4 - HKCU\..\Run: [D90B38F6] C:\WINDOWS\system32\edsndview.exe
O4 - HKCU\..\Run: [495C48F6] C:\WINDOWS\system32\iopat.exe
O4 - HKCU\..\Run: [FBCE3DC3] C:\WINDOWS\system32\ccttemon.exe
O4 - HKCU\..\Run: [068C1186] C:\WINDOWS\system32\wsecaxof.exe
O4 - HKCU\..\Run: [96014546] C:\WINDOWS\system32\o4aclu.exe
O4 - HKCU\..\Run: [gcdef] C:\WINDOWS\System32\gcdef.exe
O4 - HKCU\..\Run: [E043B77E] C:\WINDOWS\system32\tipctrsl32.exe
O4 - HKCU\..\Run: [D8CEEEC6] C:\WINDOWS\system32\o3pnhsen.exe
O4 - HKCU\..\Run: [5DA17256] C:\WINDOWS\system32\aaamluitrea.exe
O4 - HKCU\..\Run: [CBD04D0E] C:\WINDOWS\system32\kctrow.exe
O4 - HKCU\..\Run: [80079A0E] C:\WINDOWS\system32\tipdtm.exe
O4 - HKCU\..\Run: [D59B580B] C:\WINDOWS\system32\vtmerter.exe
O4 - HKCU\..\Run: [C1B8C206] C:\WINDOWS\system32\2edapi.exe
O4 - HKCU\..\Run: [81C30D83] C:\WINDOWS\system32\acimis.exe
O4 - HKCU\..\Run: [DA9D06E6] C:\WINDOWS\system32\sntidis.exe
O4 - HKCU\..\Run: [EC8EFFFE] C:\WINDOWS\system32\diendmdlg.exe
O4 - HKCU\..\Run: [D2280C6B] C:\WINDOWS\system32\atrx3tex.exe
O4 - HKCU\..\Run: [AAEFECFE] C:\WINDOWS\system32\tichkiskc.exe
O4 - HKCU\..\Run: [D513844E] C:\WINDOWS\system32\3duaat.exe
O4 - HKCU\..\Run: [B182C0E3] C:\WINDOWS\system32\clro2dva.exe
O4 - HKCU\..\Run: [F90EBFFE] C:\WINDOWS\system32\DDCmf.exe
O4 - HKCU\..\Run: [F53C50C6] C:\WINDOWS\system32\mon2al3dan.exe
O4 - HKCU\..\Run: [F46D0ACE] C:\WINDOWS\system32\xpri32.exe
O4 - HKCU\..\Run: [93D8B94E] C:\WINDOWS\system32\lxtvo3.exe
O4 - HKCU\..\Run: [CEBCF1C6] C:\WINDOWS\system32\dxxti3ti.exe
O4 - HKCU\..\Run: [5E028E5E] C:\WINDOWS\system32\tittivv.exe
O4 - HKCU\..\Run: [E1C55746] C:\WINDOWS\system32\svcfopol.exe
O4 - HKCU\..\Run: [95DF5DF3] C:\WINDOWS\system32\tmlnuqM47.exe
O4 - HKCU\..\Run: [8A8C40CB] C:\WINDOWS\system32\6tcnvica.exe
O4 - HKCU\..\Run: [DDCDA053] C:\WINDOWS\system32\C3APtrmond.exe
O4 - HKCU\..\Run: [88860EDE] C:\WINDOWS\system32\acdsmsrx2.exe
O4 - HKCU\..\Run: [D02298C3] C:\WINDOWS\system32\dsipcexx.exe
O4 - HKCU\..\Run: [D9B6D6C6] C:\WINDOWS\system32\aclph3d1.exe
O4 - HKCU\..\Run: [F11A0EE3] C:\WINDOWS\system32\3d2alib.exe
O4 - HKCU\..\Run: [B0869BFE] C:\WINDOWS\system32\extsvards.exe
O4 - HKCU\..\Run: [ECBB6DC3] C:\WINDOWS\system32\vcelcbmg.exe
O4 - HKCU\..\Run: [AB29B876] C:\WINDOWS\system32\d5adsliie.exe
O4 - HKCU\..\Run: [82AB44CE] C:\WINDOWS\system32\ldpcat.exe
O4 - HKCU\..\Run: [860CC04E] C:\WINDOWS\system32\ldpads.exe
O4 - HKCU\..\Run: [93D78DF6] C:\WINDOWS\system32\to4cnoace.exe
O4 - HKCU\..\Run: [B36F380E] C:\WINDOWS\system32\tivmfd.exe
O4 - HKCU\..\Run: [97DAC64E] C:\WINDOWS\system32\dvtivv.exe
O4 - HKCU\..\Run: [8FACD0F3] C:\WINDOWS\system32\troVSsseq.exe
O4 - HKCU\..\Run: [801AC243] C:\WINDOWS\system32\udiatm.exe
O4 - HKCU\..\Run: [5F1B79C6] C:\WINDOWS\system32\6to4i32.exe
O4 - HKCU\..\Run: [1A0FD2F6] C:\WINDOWS\system32\mog32.exe
O4 - HKCU\..\Run: [03980646] C:\WINDOWS\system32\vtmxvi.exe
O4 - HKCU\..\Run: [F3D89C86] C:\WINDOWS\system32\rxycnace.exe
O4 - HKCU\..\Run: [0B350C6E] C:\WINDOWS\system32\aaadext.exe
O4 - HKCU\..\Run: [E47B8D46] C:\WINDOWS\system32\dpfile.exe
O4 - HKCU\..\Run: [9F3108E3] C:\WINDOWS\system32\rorcdra.exe
O4 - HKCU\..\Run: [B1AC1AEE] C:\WINDOWS\system32\APdsn.exe
O4 - HKCU\..\Run: [500C8AE6] C:\WINDOWS\system32\rsetiti.exe
O4 - HKCU\..\Run: [91415F73] C:\WINDOWS\system32\tinetapes.exe
O4 - HKCU\..\Run: [BBFF98E6] C:\WINDOWS\system32\brofvieew.exe
O4 - HKCU\..\Run: [A9EE3FCB] C:\WINDOWS\system32\helpvip3.exe
O4 - HKCU\..\Run: [C38674D3] C:\WINDOWS\system32\lxxctpsss.exe
O4 - HKCU\..\Run: [E7124F8B] C:\WINDOWS\system32\sfeisxio.exe
O4 - HKCU\..\Run: [55CF5406] C:\WINDOWS\system32\compdi.exe
O4 - HKCU\..\Run: [8CC291E3] C:\WINDOWS\system32\C3APpcu.exe
O4 - HKCU\..\Run: [F2B3988B] C:\WINDOWS\system32\rx3atsem.exe
O4 - HKCU\..\Run: [9899B8E3] C:\WINDOWS\system32\dsncdfv.exe
O4 - HKCU\..\Run: [B16AC40E] C:\WINDOWS\system32\resldp.exe
O4 - HKCU\..\Run: [8CB79CF6] C:\WINDOWS\system32\dvavm.exe
O4 - HKCU\..\Run: [D77B0943] C:\WINDOWS\system32\tvirow.exe
O4 - HKCU\..\Run: [416B8E06] C:\WINDOWS\system32\acllui.exe
O4 - HKCU\..\Run: [C7C5B806] C:\WINDOWS\system32\tiatgn.exe
O4 - HKCU\..\Run: [A0DA0B5B] C:\WINDOWS\system32\kctrtex.exe
O4 - HKCU\..\Run: [8C5FD676] C:\WINDOWS\system32\sfsvw.exe
O4 - HKCU\..\Run: [CB921566] C:\WINDOWS\system32\ctti2cdrt.exe
O4 - HKCU\..\Run: [CDCCBC56] C:\WINDOWS\system32\vvaxaptiodm.exe
O4 - HKCU\..\Run: [1BD71D66] C:\WINDOWS\system32\pphetml.exe
O4 - HKCU\..\Run: [A7EA3946] C:\WINDOWS\system32\d5troldi.exe
O4 - HKCU\..\Run: [10730E86] C:\WINDOWS\system32\aalrsv.exe
O4 - HKCU\..\Run: [42387866] C:\WINDOWS\system32\dosydui3d8.exe
O4 - HKCU\..\Run: [B6E00EE3] C:\WINDOWS\system32\edti2efa.exe
O4 - HKCU\..\Run: [93DC464E] C:\WINDOWS\system32\6tti2e.exe
O4 - HKCU\..\Run: [8C2D35EE] C:\WINDOWS\system32\dvileat.exe
O4 - HKCU\..\Run: [54E414CE] C:\WINDOWS\system32\edidpeam.exe
O4 - HKCU\..\Run: [B912486E] C:\WINDOWS\system32\ctisntlrs.exe
O4 - HKCU\..\Run: [C23331C6] C:\WINDOWS\system32\dpctiatm.exe
O4 - HKCU\..\Run: [836E9303] C:\WINDOWS\system32\couidnet.exe
O4 - HKCU\..\Run: [58C3916E] C:\WINDOWS\system32\aaadrse.exe
O4 - HKCU\..\Run: [8CB99C76] C:\WINDOWS\system32\dvaro.exe
O4 - HKCU\..\Run: [A3179A66] C:\WINDOWS\system32\cldmpatif.exe
O4 - HKCU\..\Run: [B00E11C6] C:\WINDOWS\system32\elccio.exe
O4 - HKCU\..\Run: [DB60FEDB] C:\WINDOWS\system32\C3xprmd.exe
O4 - HKCU\..\Run: [CEDDBB0E] C:\WINDOWS\system32\i32ambatm.exe
O4 - HKCU\..\Run: [92A00EE3] C:\WINDOWS\system32\cluiliser.exe
O4 - HKCU\..\Run: [1CAF9656] C:\WINDOWS\system32\d53nd2dva.exe
O4 - HKCU\..\Run: [CF83C1C6] C:\WINDOWS\system32\advdptilxx.exe
O4 - HKCU\..\Run: [4FD4FC66] C:\WINDOWS\system32\dwnetk3.exe
O4 - HKCU\..\Run: [A8B57C4B] C:\WINDOWS\system32\tviptsvi.exe
O4 - HKCU\..\Run: [9B0D6246] C:\WINDOWS\system32\dspllti2.exe
O4 - HKCU\..\Run: [9CB8DB03] C:\WINDOWS\system32\odbtvofil3.exe
O4 - HKCU\..\Run: [D6271403] C:\WINDOWS\system32\tivieend.exe
O4 - HKCU\..\Run: [9083076E] C:\WINDOWS\system32\pawhbid.exe
O4 - HKCU\..\Run: [DB7AAF66] C:\WINDOWS\system32\ertivic.exe
O4 - HKCU\..\Run: [DA34C9E6] C:\WINDOWS\system32\amTIDat.exe
O4 - HKCU\..\Run: [D021EC83] C:\WINDOWS\system32\ctrrovceng.exe
O4 - HKCU\..\Run: [E599410E] C:\WINDOWS\system32\2evxii.exe
O4 - HKCU\..\Run: [C30CC6C6] C:\WINDOWS\system32\edadsn.exe
O4 - HKCU\..\Run: [FE91B0CB] C:\WINDOWS\system32\53ndpvut.exe
O4 - HKCU\..\Run: [B8BA31F3] C:\WINDOWS\system32\axxitobxof.exe
O4 - HKCU\..\Run: [9934C063] C:\WINDOWS\system32\vgwsecd.exe
O4 - HKCU\..\Run: [0B359866] C:\WINDOWS\system32\uaitext.exe
O4 - HKCU\..\Run: [AA60E5E6] C:\WINDOWS\system32\omrnput.exe
O4 - HKCU\..\Run: [AD00546B] C:\WINDOWS\system32\teobjrt.exe
O4 - HKCU\..\Run: [8CAE5C76] C:\WINDOWS\system32\dvbro.exe
O4 - HKCU\..\Run: [D083EEE3] C:\WINDOWS\system32\wsewapt.exe
O4 - HKCU\..\Run: [A9AD577E] C:\WINDOWS\system32\padin.exe
O4 - HKCU\..\Run: [8EAE9BFB] C:\WINDOWS\system32\vplbasads.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://chat.goarmy.com:8563/Java/cfs40301.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://C:\counter.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/c...t/LocalExec.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100405361531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\sdkzu.exe" /s (file missing)

Edited by chucker07, 12 March 2005 - 05:35 PM.


BC AdBot (Login to Remove)

 


#2 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 12 March 2005 - 08:56 PM

hi, welcome to the forum. :thumbsup:

you have one seriously infected computer there. but i'm sure we can sort it out.

you would be advised to print these instructions out to make life easier.


Rerun HJT,and put a tick beside these :-


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lqzhx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A1AE6514-7CAC-E83C-FA39-EA959372821A} - C:\WINDOWS\system32\iexg32.dll
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [CA9B52DB] C:\WINDOWS\system32\C3Adslrsv.exe
O4 - HKLM\..\Run: [89517F0B] C:\WINDOWS\system32\isvutcat.exe
O4 - HKLM\..\Run: [B16CC54E] C:\WINDOWS\system32\adstmp.exe
O4 - HKLM\..\Run: [FC6018FE] C:\WINDOWS\system32\Diwavl3d3.exe
O4 - HKLM\..\Run: [B7CFDC46] C:\WINDOWS\system32\pheronet.exe
O4 - HKLM\..\Run: [4492FF76] C:\WINDOWS\system32\dxxsrvter.exe
O4 - HKLM\..\Run: [B461C44E] C:\WINDOWS\system32\3dvvcd.exe
O4 - HKLM\..\Run: [843AFC8B] C:\WINDOWS\system32\api3trac.exe
O4 - HKLM\..\Run: [882E7CE3] C:\WINDOWS\system32\wsmpbbj.exe
O4 - HKLM\..\Run: [AEC252EE] C:\WINDOWS\system32\amonsld.exe
O4 - HKLM\..\Run: [A5C75E8B] C:\WINDOWS\system32\cnoavwam.exe
O4 - HKLM\..\Run: [E1151CEE] C:\WINDOWS\system32\bviomdl.exe
O4 - HKLM\..\Run: [D7C05B43] C:\WINDOWS\system32\pvDDBNMV.exe
O4 - HKLM\..\Run: [BAB3146E] C:\WINDOWS\system32\aamoreo32.exe
O4 - HKLM\..\Run: [EFA609E3] C:\WINDOWS\system32\clevifi.exe
O4 - HKLM\..\Run: [BCBAE246] C:\WINDOWS\system32\trelowar.exe
O4 - HKLM\..\Run: [F997B4EB] C:\WINDOWS\system32\ediadsl.exe
O4 - HKLM\..\Run: [CE1926DE] C:\WINDOWS\system32\srvatsiadm.exe
O4 - HKLM\..\Run: [9D1AE363] C:\WINDOWS\system32\terckbo.exe
O4 - HKLM\..\Run: [BC4D147E] C:\WINDOWS\system32\res2e.exe
O4 - HKLM\..\Run: [A1555BF3] C:\WINDOWS\system32\TItivctrs.exe
O4 - HKLM\..\Run: [F6AD0C66] C:\WINDOWS\system32\i32ert.exe
O4 - HKLM\..\Run: [FA65D06E] C:\WINDOWS\system32\ad3d2avcl.exe
O4 - HKLM\..\Run: [F6E278CB] C:\WINDOWS\system32\tiaptiii.exe
O4 - HKLM\..\Run: [90338086] C:\WINDOWS\system32\to4wsewTDev.exe
O4 - HKLM\..\Run: [E164FE63] C:\WINDOWS\system32\ctivrxy.exe
O4 - HKLM\..\Run: [9D585EFB] C:\WINDOWS\system32\tivDD.exe
O4 - HKLM\..\Run: [1C7D106E] C:\WINDOWS\system32\vtmetat.exe
O4 - HKLM\..\Run: [A3D81986] C:\WINDOWS\system32\svdsnlxx.exe
O4 - HKLM\..\Run: [DD9D947E] C:\WINDOWS\system32\tiiicnepl.exe
O4 - HKLM\..\Run: [0C8A6E56] C:\WINDOWS\system32\ldptifg32.exe
O4 - HKLM\..\Run: [4979F666] C:\WINDOWS\system32\ediupod.exe
O4 - HKLM\..\Run: [ACBA7A83] C:\WINDOWS\system32\md53exvc.exe
O4 - HKLM\..\Run: [8CB89176] C:\WINDOWS\system32\cfcno.exe
O4 - HKLM\..\Run: [DC6EF10B] C:\WINDOWS\system32\ismetk32.exe
O4 - HKLM\..\Run: [B47A10CE] C:\WINDOWS\system32\srvpco.exe
O4 - HKLM\..\Run: [0B6E6DE6] C:\WINDOWS\system32\dptdsms.exe
O4 - HKLM\..\Run: [0B196E66] C:\WINDOWS\system32\truthEU.exe
O4 - HKLM\..\Run: [F7CA34CB] C:\WINDOWS\system32\pcuptitv.exe
O4 - HKLM\..\Run: [4962186E] C:\WINDOWS\system32\luiesrv.exe
O4 - HKLM\..\Run: [9DB3BC7B] C:\WINDOWS\system32\tiapi.exe
O4 - HKLM\..\Run: [DC79C0DB] C:\WINDOWS\system32\advpphe.exe
O4 - HKLM\..\Run: [DE8EF466] C:\WINDOWS\system32\exxlbca.exe
O4 - HKLM\..\Run: [A075854B] C:\WINDOWS\system32\ctxios.exe
O4 - HKLM\..\Run: [E9AE5D5E] C:\WINDOWS\system32\atmmetNMV.exe
O4 - HKLM\..\Run: [A76F8F66] C:\WINDOWS\system32\i32thz.exe
O4 - HKLM\..\Run: [8B5C96DE] C:\WINDOWS\system32\C3APcco32.exe
O4 - HKLM\..\Run: [86D74283] C:\WINDOWS\system32\luipph.exe
O4 - HKLM\..\Run: [AC30CDC3] C:\WINDOWS\system32\acc2dva.exe
O4 - HKLM\..\Run: [912C34E3] C:\WINDOWS\system32\odiscap.exe
O4 - HKLM\..\Run: [FA333CD3] C:\WINDOWS\system32\C3Aauthamoc.exe
O4 - HKLM\..\Run: [DA185483] C:\WINDOWS\system32\monBCo.exe
O4 - HKLM\..\Run: [B1F2BEEE] C:\WINDOWS\system32\upssi.exe
O4 - HKLM\..\Run: [4A3254EE] C:\WINDOWS\system32\dvlrsvthz.exe
O4 - HKLM\..\Run: [496A6CEE] C:\WINDOWS\system32\eteesrv.exe
O4 - HKLM\..\Run: [C8CDFC56] C:\WINDOWS\system32\cabamoptdl.exe
O4 - HKLM\..\Run: [B97260DB] C:\WINDOWS\system32\titvter.exe
O4 - HKLM\..\Run: [82D5114E] C:\WINDOWS\system32\sldi33d1a.exe
O4 - HKLM\..\Run: [FC979D6B] C:\WINDOWS\system32\APIadsl.exe
O4 - HKLM\..\Run: [AD8FDD76] C:\WINDOWS\system32\eamla.exe
O4 - HKLM\..\Run: [BE3CFF73] C:\WINDOWS\system32\edsdsld2d.exe
O4 - HKLM\..\Run: [D1E8B1F3] C:\WINDOWS\system32\4scluti3d.exe
O4 - HKLM\..\Run: [C0CF0ECE] C:\WINDOWS\system32\trtmpv.exe
O4 - HKLM\..\Run: [931905C6] C:\WINDOWS\system32\idabin.exe
O4 - HKLM\..\Run: [BF71A166] C:\WINDOWS\system32\svctiadmi.exe
O4 - HKLM\..\Run: [EB07BD43] C:\WINDOWS\system32\pcDDCfrg.exe
O4 - HKLM\..\Run: [8995A066] C:\WINDOWS\system32\ogtiesr.exe
O4 - HKLM\..\Run: [D16F454E] C:\WINDOWS\system32\ldpond.exe
O4 - HKLM\..\Run: [B16E4683] C:\WINDOWS\system32\luomre.exe
O4 - HKLM\..\Run: [F3779066] C:\WINDOWS\system32\532ive.exe
O4 - HKLM\..\Run: [D4670E06] C:\WINDOWS\system32\WSEmut.exe
O4 - HKLM\..\Run: [995A5EFB] C:\WINDOWS\system32\tired.exe
O4 - HKLM\..\Run: [B47F840E] C:\WINDOWS\system32\auvifi.exe
O4 - HKLM\..\Run: [B0884656] C:\WINDOWS\system32\aacdnfg3d3.exe
O4 - HKLM\..\Run: [A1DB38F3] C:\WINDOWS\system32\vxxwa.exe
O4 - HKLM\..\Run: [D62B710B] C:\WINDOWS\system32\APresthz.exe
O4 - HKLM\..\Run: [FC6647CB] C:\WINDOWS\system32\moclueam.exe
O4 - HKLM\..\Run: [E1C2556B] C:\WINDOWS\system32\atmfspl.exe
O4 - HKLM\..\Run: [AB1D7103] C:\WINDOWS\system32\dsmsesrv.exe
O4 - HKLM\..\Run: [A9E64E83] C:\WINDOWS\system32\motifiie.exe
O4 - HKLM\..\Run: [F66E47CB] C:\WINDOWS\system32\pvcntvid.exe
O4 - HKLM\..\Run: [1BA2BB4E] C:\WINDOWS\system32\tivvpt32.exe
O4 - HKLM\..\Run: [C3639186] C:\WINDOWS\system32\amdti3.exe
O4 - HKLM\..\Run: [DBD3BA63] C:\WINDOWS\system32\3dsvimuti.exe
O4 - HKLM\..\Run: [ipjc.exe] C:\WINDOWS\system32\ipjc.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [D90B38F6] C:\WINDOWS\system32\edsndview.exe
O4 - HKLM\..\Run: [495C48F6] C:\WINDOWS\system32\iopat.exe
O4 - HKLM\..\Run: [FBCE3DC3] C:\WINDOWS\system32\ccttemon.exe
O4 - HKLM\..\Run: [068C1186] C:\WINDOWS\system32\wsecaxof.exe
O4 - HKLM\..\Run: [96014546] C:\WINDOWS\system32\o4aclu.exe
O4 - HKLM\..\Run: [E043B77E] C:\WINDOWS\system32\tipctrsl32.exe
O4 - HKLM\..\Run: [D8CEEEC6] C:\WINDOWS\system32\o3pnhsen.exe
O4 - HKLM\..\Run: [5DA17256] C:\WINDOWS\system32\aaamluitrea.exe
O4 - HKLM\..\Run: [CBD04D0E] C:\WINDOWS\system32\kctrow.exe
O4 - HKLM\..\Run: [80079A0E] C:\WINDOWS\system32\tipdtm.exe
O4 - HKLM\..\Run: [D59B580B] C:\WINDOWS\system32\vtmerter.exe
O4 - HKLM\..\Run: [C1B8C206] C:\WINDOWS\system32\2edapi.exe
O4 - HKLM\..\Run: [81C30D83] C:\WINDOWS\system32\acimis.exe
O4 - HKLM\..\Run: [DA9D06E6] C:\WINDOWS\system32\sntidis.exe
O4 - HKLM\..\Run: [EC8EFFFE] C:\WINDOWS\system32\diendmdlg.exe
O4 - HKLM\..\Run: [D2280C6B] C:\WINDOWS\system32\atrx3tex.exe
O4 - HKLM\..\Run: [AAEFECFE] C:\WINDOWS\system32\tichkiskc.exe
O4 - HKLM\..\Run: [D513844E] C:\WINDOWS\system32\3duaat.exe
O4 - HKLM\..\Run: [B182C0E3] C:\WINDOWS\system32\clro2dva.exe
O4 - HKLM\..\Run: [F90EBFFE] C:\WINDOWS\system32\DDCmf.exe
O4 - HKLM\..\Run: [F53C50C6] C:\WINDOWS\system32\mon2al3dan.exe
O4 - HKLM\..\Run: [F46D0ACE] C:\WINDOWS\system32\xpri32.exe
O4 - HKLM\..\Run: [93D8B94E] C:\WINDOWS\system32\lxtvo3.exe
O4 - HKLM\..\Run: [CEBCF1C6] C:\WINDOWS\system32\dxxti3ti.exe
O4 - HKLM\..\Run: [5E028E5E] C:\WINDOWS\system32\tittivv.exe
O4 - HKLM\..\Run: [E1C55746] C:\WINDOWS\system32\svcfopol.exe
O4 - HKLM\..\Run: [95DF5DF3] C:\WINDOWS\system32\tmlnuqM47.exe
O4 - HKLM\..\Run: [8A8C40CB] C:\WINDOWS\system32\6tcnvica.exe
O4 - HKLM\..\Run: [DDCDA053] C:\WINDOWS\system32\C3APtrmond.exe
O4 - HKLM\..\Run: [88860EDE] C:\WINDOWS\system32\acdsmsrx2.exe
O4 - HKLM\..\Run: [D02298C3] C:\WINDOWS\system32\dsipcexx.exe
O4 - HKLM\..\Run: [D9B6D6C6] C:\WINDOWS\system32\aclph3d1.exe
O4 - HKLM\..\Run: [F11A0EE3] C:\WINDOWS\system32\3d2alib.exe
O4 - HKLM\..\Run: [B0869BFE] C:\WINDOWS\system32\extsvards.exe
O4 - HKLM\..\Run: [ECBB6DC3] C:\WINDOWS\system32\vcelcbmg.exe
O4 - HKLM\..\Run: [AB29B876] C:\WINDOWS\system32\d5adsliie.exe
O4 - HKLM\..\Run: [82AB44CE] C:\WINDOWS\system32\ldpcat.exe
O4 - HKLM\..\Run: [860CC04E] C:\WINDOWS\system32\ldpads.exe
O4 - HKLM\..\Run: [93D78DF6] C:\WINDOWS\system32\to4cnoace.exe
O4 - HKLM\..\Run: [B36F380E] C:\WINDOWS\system32\tivmfd.exe
O4 - HKLM\..\Run: [97DAC64E] C:\WINDOWS\system32\dvtivv.exe
O4 - HKLM\..\Run: [8FACD0F3] C:\WINDOWS\system32\troVSsseq.exe
O4 - HKLM\..\Run: [801AC243] C:\WINDOWS\system32\udiatm.exe
O4 - HKLM\..\Run: [5F1B79C6] C:\WINDOWS\system32\6to4i32.exe
O4 - HKLM\..\Run: [1A0FD2F6] C:\WINDOWS\system32\mog32.exe
O4 - HKLM\..\Run: [03980646] C:\WINDOWS\system32\vtmxvi.exe
O4 - HKLM\..\Run: [F3D89C86] C:\WINDOWS\system32\rxycnace.exe
O4 - HKLM\..\Run: [0B350C6E] C:\WINDOWS\system32\aaadext.exe
O4 - HKLM\..\Run: [E47B8D46] C:\WINDOWS\system32\dpfile.exe
O4 - HKLM\..\Run: [9F3108E3] C:\WINDOWS\system32\rorcdra.exe
O4 - HKLM\..\Run: [B1AC1AEE] C:\WINDOWS\system32\APdsn.exe
O4 - HKLM\..\Run: [500C8AE6] C:\WINDOWS\system32\rsetiti.exe
O4 - HKLM\..\Run: [91415F73] C:\WINDOWS\system32\tinetapes.exe
O4 - HKLM\..\Run: [BBFF98E6] C:\WINDOWS\system32\brofvieew.exe
O4 - HKLM\..\Run: [A9EE3FCB] C:\WINDOWS\system32\helpvip3.exe
O4 - HKLM\..\Run: [C38674D3] C:\WINDOWS\system32\lxxctpsss.exe
O4 - HKLM\..\Run: [E7124F8B] C:\WINDOWS\system32\sfeisxio.exe
O4 - HKLM\..\Run: [55CF5406] C:\WINDOWS\system32\compdi.exe
O4 - HKLM\..\Run: [8CC291E3] C:\WINDOWS\system32\C3APpcu.exe
O4 - HKLM\..\Run: [F2B3988B] C:\WINDOWS\system32\rx3atsem.exe
O4 - HKLM\..\Run: [9899B8E3] C:\WINDOWS\system32\dsncdfv.exe
O4 - HKLM\..\Run: [B16AC40E] C:\WINDOWS\system32\resldp.exe
O4 - HKLM\..\Run: [8CB79CF6] C:\WINDOWS\system32\dvavm.exe
O4 - HKLM\..\Run: [D77B0943] C:\WINDOWS\system32\tvirow.exe
O4 - HKLM\..\Run: [416B8E06] C:\WINDOWS\system32\acllui.exe
O4 - HKLM\..\Run: [C7C5B806] C:\WINDOWS\system32\tiatgn.exe
O4 - HKLM\..\Run: [A0DA0B5B] C:\WINDOWS\system32\kctrtex.exe
O4 - HKLM\..\Run: [8C5FD676] C:\WINDOWS\system32\sfsvw.exe
O4 - HKLM\..\Run: [CB921566] C:\WINDOWS\system32\ctti2cdrt.exe
O4 - HKLM\..\Run: [CDCCBC56] C:\WINDOWS\system32\vvaxaptiodm.exe
O4 - HKLM\..\Run: [1BD71D66] C:\WINDOWS\system32\pphetml.exe
O4 - HKLM\..\Run: [A7EA3946] C:\WINDOWS\system32\d5troldi.exe
O4 - HKLM\..\Run: [10730E86] C:\WINDOWS\system32\aalrsv.exe
O4 - HKLM\..\Run: [42387866] C:\WINDOWS\system32\dosydui3d8.exe
O4 - HKLM\..\Run: [B6E00EE3] C:\WINDOWS\system32\edti2efa.exe
O4 - HKLM\..\Run: [93DC464E] C:\WINDOWS\system32\6tti2e.exe
O4 - HKLM\..\Run: [8C2D35EE] C:\WINDOWS\system32\dvileat.exe
O4 - HKLM\..\Run: [54E414CE] C:\WINDOWS\system32\edidpeam.exe
O4 - HKLM\..\Run: [B912486E] C:\WINDOWS\system32\ctisntlrs.exe
O4 - HKLM\..\Run: [C23331C6] C:\WINDOWS\system32\dpctiatm.exe
O4 - HKLM\..\Run: [836E9303] C:\WINDOWS\system32\couidnet.exe
O4 - HKLM\..\Run: [58C3916E] C:\WINDOWS\system32\aaadrse.exe
O4 - HKLM\..\Run: [8CB99C76] C:\WINDOWS\system32\dvaro.exe
O4 - HKLM\..\Run: [A3179A66] C:\WINDOWS\system32\cldmpatif.exe
O4 - HKLM\..\Run: [vmtune] %SystemRoot%\system32\gdlib.exe
O4 - HKLM\..\Run: [B00E11C6] C:\WINDOWS\system32\elccio.exe
O4 - HKLM\..\Run: [DB60FEDB] C:\WINDOWS\system32\C3xprmd.exe
O4 - HKLM\..\Run: [CEDDBB0E] C:\WINDOWS\system32\i32ambatm.exe
O4 - HKLM\..\Run: [92A00EE3] C:\WINDOWS\system32\cluiliser.exe
O4 - HKLM\..\Run: [1CAF9656] C:\WINDOWS\system32\d53nd2dva.exe
O4 - HKLM\..\Run: [CF83C1C6] C:\WINDOWS\system32\advdptilxx.exe
O4 - HKLM\..\Run: [4FD4FC66] C:\WINDOWS\system32\dwnetk3.exe
O4 - HKLM\..\Run: [A8B57C4B] C:\WINDOWS\system32\tviptsvi.exe
O4 - HKLM\..\Run: [9B0D6246] C:\WINDOWS\system32\dspllti2.exe
O4 - HKLM\..\Run: [9CB8DB03] C:\WINDOWS\system32\odbtvofil3.exe
O4 - HKLM\..\Run: [D6271403] C:\WINDOWS\system32\tivieend.exe
O4 - HKLM\..\Run: [9083076E] C:\WINDOWS\system32\pawhbid.exe
O4 - HKLM\..\Run: [DB7AAF66] C:\WINDOWS\system32\ertivic.exe
O4 - HKLM\..\Run: [DA34C9E6] C:\WINDOWS\system32\amTIDat.exe
O4 - HKLM\..\Run: [D021EC83] C:\WINDOWS\system32\ctrrovceng.exe
O4 - HKLM\..\Run: [E599410E] C:\WINDOWS\system32\2evxii.exe
O4 - HKLM\..\Run: [C30CC6C6] C:\WINDOWS\system32\edadsn.exe
O4 - HKLM\..\Run: [FE91B0CB] C:\WINDOWS\system32\53ndpvut.exe
O4 - HKLM\..\Run: [B8BA31F3] C:\WINDOWS\system32\axxitobxof.exe
O4 - HKLM\..\Run: [9934C063] C:\WINDOWS\system32\vgwsecd.exe
O4 - HKLM\..\Run: [0B359866] C:\WINDOWS\system32\uaitext.exe
O4 - HKLM\..\Run: [AA60E5E6] C:\WINDOWS\system32\omrnput.exe
O4 - HKLM\..\Run: [AD00546B] C:\WINDOWS\system32\teobjrt.exe
O4 - HKLM\..\Run: [8CAE5C76] C:\WINDOWS\system32\dvbro.exe
O4 - HKLM\..\Run: [D083EEE3] C:\WINDOWS\system32\wsewapt.exe
O4 - HKLM\..\Run: [A9AD577E] C:\WINDOWS\system32\padin.exe
O4 - HKLM\..\Run: [8EAE9BFB] C:\WINDOWS\system32\vplbasads.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CA9B52DB] C:\WINDOWS\system32\C3Adslrsv.exe
O4 - HKCU\..\Run: [B7CFDC46] C:\WINDOWS\system32\pheronet.exe
O4 - HKCU\..\Run: [FC6018FE] C:\WINDOWS\system32\Diwavl3d3.exe
O4 - HKCU\..\Run: [B16CC54E] C:\WINDOWS\system32\adstmp.exe
O4 - HKCU\..\Run: [4492FF76] C:\WINDOWS\system32\dxxsrvter.exe
O4 - HKCU\..\Run: [89517F0B] C:\WINDOWS\system32\isvutcat.exe
O4 - HKCU\..\Run: [B461C44E] C:\WINDOWS\system32\3dvvcd.exe
O4 - HKCU\..\Run: [843AFC8B] C:\WINDOWS\system32\api3trac.exe
O4 - HKCU\..\Run: [882E7CE3] C:\WINDOWS\system32\wsmpbbj.exe
O4 - HKCU\..\Run: [AEC252EE] C:\WINDOWS\system32\amonsld.exe
O4 - HKCU\..\Run: [E1151CEE] C:\WINDOWS\system32\bviomdl.exe
O4 - HKCU\..\Run: [A5C75E8B] C:\WINDOWS\system32\cnoavwam.exe
O4 - HKCU\..\Run: [D7C05B43] C:\WINDOWS\system32\pvDDBNMV.exe
O4 - HKCU\..\Run: [BAB3146E] C:\WINDOWS\system32\aamoreo32.exe
O4 - HKCU\..\Run: [EFA609E3] C:\WINDOWS\system32\clevifi.exe
O4 - HKCU\..\Run: [BCBAE246] C:\WINDOWS\system32\trelowar.exe
O4 - HKCU\..\Run: [F997B4EB] C:\WINDOWS\system32\ediadsl.exe
O4 - HKCU\..\Run: [CE1926DE] C:\WINDOWS\system32\srvatsiadm.exe
O4 - HKCU\..\Run: [9D1AE363] C:\WINDOWS\system32\terckbo.exe
O4 - HKCU\..\Run: [BC4D147E] C:\WINDOWS\system32\res2e.exe
O4 - HKCU\..\Run: [A1555BF3] C:\WINDOWS\system32\TItivctrs.exe
O4 - HKCU\..\Run: [F6AD0C66] C:\WINDOWS\system32\i32ert.exe
O4 - HKCU\..\Run: [FA65D06E] C:\WINDOWS\system32\ad3d2avcl.exe
O4 - HKCU\..\Run: [90338086] C:\WINDOWS\system32\to4wsewTDev.exe
O4 - HKCU\..\Run: [F6E278CB] C:\WINDOWS\system32\tiaptiii.exe
O4 - HKCU\..\Run: [E164FE63] C:\WINDOWS\system32\ctivrxy.exe
O4 - HKCU\..\Run: [9D585EFB] C:\WINDOWS\system32\tivDD.exe
O4 - HKCU\..\Run: [1C7D106E] C:\WINDOWS\system32\vtmetat.exe
O4 - HKCU\..\Run: [A3D81986] C:\WINDOWS\system32\svdsnlxx.exe
O4 - HKCU\..\Run: [DD9D947E] C:\WINDOWS\system32\tiiicnepl.exe
O4 - HKCU\..\Run: [0C8A6E56] C:\WINDOWS\system32\ldptifg32.exe
O4 - HKCU\..\Run: [4979F666] C:\WINDOWS\system32\ediupod.exe
O4 - HKCU\..\Run: [ACBA7A83] C:\WINDOWS\system32\md53exvc.exe
O4 - HKCU\..\Run: [8CB89176] C:\WINDOWS\system32\cfcno.exe
O4 - HKCU\..\Run: [DC6EF10B] C:\WINDOWS\system32\ismetk32.exe
O4 - HKCU\..\Run: [B47A10CE] C:\WINDOWS\system32\srvpco.exe
O4 - HKCU\..\Run: [0B6E6DE6] C:\WINDOWS\system32\dptdsms.exe
O4 - HKCU\..\Run: [0B196E66] C:\WINDOWS\system32\truthEU.exe
O4 - HKCU\..\Run: [4962186E] C:\WINDOWS\system32\luiesrv.exe
O4 - HKCU\..\Run: [F7CA34CB] C:\WINDOWS\system32\pcuptitv.exe
O4 - HKCU\..\Run: [9DB3BC7B] C:\WINDOWS\system32\tiapi.exe
O4 - HKCU\..\Run: [DC79C0DB] C:\WINDOWS\system32\advpphe.exe
O4 - HKCU\..\Run: [DE8EF466] C:\WINDOWS\system32\exxlbca.exe
O4 - HKCU\..\Run: [A075854B] C:\WINDOWS\system32\ctxios.exe
O4 - HKCU\..\Run: [E9AE5D5E] C:\WINDOWS\system32\atmmetNMV.exe
O4 - HKCU\..\Run: [A76F8F66] C:\WINDOWS\system32\i32thz.exe
O4 - HKCU\..\Run: [8B5C96DE] C:\WINDOWS\system32\C3APcco32.exe
O4 - HKCU\..\Run: [86D74283] C:\WINDOWS\system32\luipph.exe
O4 - HKCU\..\Run: [AC30CDC3] C:\WINDOWS\system32\acc2dva.exe
O4 - HKCU\..\Run: [912C34E3] C:\WINDOWS\system32\odiscap.exe
O4 - HKCU\..\Run: [FA333CD3] C:\WINDOWS\system32\C3Aauthamoc.exe
O4 - HKCU\..\Run: [DA185483] C:\WINDOWS\system32\monBCo.exe
O4 - HKCU\..\Run: [B1F2BEEE] C:\WINDOWS\system32\upssi.exe
O4 - HKCU\..\Run: [4A3254EE] C:\WINDOWS\system32\dvlrsvthz.exe
O4 - HKCU\..\Run: [496A6CEE] C:\WINDOWS\system32\eteesrv.exe
O4 - HKCU\..\Run: [C8CDFC56] C:\WINDOWS\system32\cabamoptdl.exe
O4 - HKCU\..\Run: [B97260DB] C:\WINDOWS\system32\titvter.exe
O4 - HKCU\..\Run: [82D5114E] C:\WINDOWS\system32\sldi33d1a.exe
O4 - HKCU\..\Run: [FC979D6B] C:\WINDOWS\system32\APIadsl.exe
O4 - HKCU\..\Run: [AD8FDD76] C:\WINDOWS\system32\eamla.exe
O4 - HKCU\..\Run: [BE3CFF73] C:\WINDOWS\system32\edsdsld2d.exe
O4 - HKCU\..\Run: [D1E8B1F3] C:\WINDOWS\system32\4scluti3d.exe
O4 - HKCU\..\Run: [C0CF0ECE] C:\WINDOWS\system32\trtmpv.exe
O4 - HKCU\..\Run: [931905C6] C:\WINDOWS\system32\idabin.exe
O4 - HKCU\..\Run: [BF71A166] C:\WINDOWS\system32\svctiadmi.exe
O4 - HKCU\..\Run: [EB07BD43] C:\WINDOWS\system32\pcDDCfrg.exe
O4 - HKCU\..\Run: [8995A066] C:\WINDOWS\system32\ogtiesr.exe
O4 - HKCU\..\Run: [D16F454E] C:\WINDOWS\system32\ldpond.exe
O4 - HKCU\..\Run: [B16E4683] C:\WINDOWS\system32\luomre.exe
O4 - HKCU\..\Run: [F3779066] C:\WINDOWS\system32\532ive.exe
O4 - HKCU\..\Run: [D4670E06] C:\WINDOWS\system32\WSEmut.exe
O4 - HKCU\..\Run: [995A5EFB] C:\WINDOWS\system32\tired.exe
O4 - HKCU\..\Run: [B47F840E] C:\WINDOWS\system32\auvifi.exe
O4 - HKCU\..\Run: [B0884656] C:\WINDOWS\system32\aacdnfg3d3.exe
O4 - HKCU\..\Run: [A1DB38F3] C:\WINDOWS\system32\vxxwa.exe
O4 - HKCU\..\Run: [D62B710B] C:\WINDOWS\system32\APresthz.exe
O4 - HKCU\..\Run: [FC6647CB] C:\WINDOWS\system32\moclueam.exe
O4 - HKCU\..\Run: [E1C2556B] C:\WINDOWS\system32\atmfspl.exe
O4 - HKCU\..\Run: [AB1D7103] C:\WINDOWS\system32\dsmsesrv.exe
O4 - HKCU\..\Run: [A9E64E83] C:\WINDOWS\system32\motifiie.exe
O4 - HKCU\..\Run: [F66E47CB] C:\WINDOWS\system32\pvcntvid.exe
O4 - HKCU\..\Run: [1BA2BB4E] C:\WINDOWS\system32\tivvpt32.exe
O4 - HKCU\..\Run: [C3639186] C:\WINDOWS\system32\amdti3.exe
O4 - HKCU\..\Run: [DBD3BA63] C:\WINDOWS\system32\3dsvimuti.exe
O4 - HKCU\..\Run: [D90B38F6] C:\WINDOWS\system32\edsndview.exe
O4 - HKCU\..\Run: [495C48F6] C:\WINDOWS\system32\iopat.exe
O4 - HKCU\..\Run: [FBCE3DC3] C:\WINDOWS\system32\ccttemon.exe
O4 - HKCU\..\Run: [068C1186] C:\WINDOWS\system32\wsecaxof.exe
O4 - HKCU\..\Run: [96014546] C:\WINDOWS\system32\o4aclu.exe
O4 - HKCU\..\Run: [gcdef] C:\WINDOWS\System32\gcdef.exe
O4 - HKCU\..\Run: [E043B77E] C:\WINDOWS\system32\tipctrsl32.exe
O4 - HKCU\..\Run: [D8CEEEC6] C:\WINDOWS\system32\o3pnhsen.exe
O4 - HKCU\..\Run: [5DA17256] C:\WINDOWS\system32\aaamluitrea.exe
O4 - HKCU\..\Run: [CBD04D0E] C:\WINDOWS\system32\kctrow.exe
O4 - HKCU\..\Run: [80079A0E] C:\WINDOWS\system32\tipdtm.exe
O4 - HKCU\..\Run: [D59B580B] C:\WINDOWS\system32\vtmerter.exe
O4 - HKCU\..\Run: [C1B8C206] C:\WINDOWS\system32\2edapi.exe
O4 - HKCU\..\Run: [81C30D83] C:\WINDOWS\system32\acimis.exe
O4 - HKCU\..\Run: [DA9D06E6] C:\WINDOWS\system32\sntidis.exe
O4 - HKCU\..\Run: [EC8EFFFE] C:\WINDOWS\system32\diendmdlg.exe
O4 - HKCU\..\Run: [D2280C6B] C:\WINDOWS\system32\atrx3tex.exe
O4 - HKCU\..\Run: [AAEFECFE] C:\WINDOWS\system32\tichkiskc.exe
O4 - HKCU\..\Run: [D513844E] C:\WINDOWS\system32\3duaat.exe
O4 - HKCU\..\Run: [B182C0E3] C:\WINDOWS\system32\clro2dva.exe
O4 - HKCU\..\Run: [F90EBFFE] C:\WINDOWS\system32\DDCmf.exe
O4 - HKCU\..\Run: [F53C50C6] C:\WINDOWS\system32\mon2al3dan.exe
O4 - HKCU\..\Run: [F46D0ACE] C:\WINDOWS\system32\xpri32.exe
O4 - HKCU\..\Run: [93D8B94E] C:\WINDOWS\system32\lxtvo3.exe
O4 - HKCU\..\Run: [CEBCF1C6] C:\WINDOWS\system32\dxxti3ti.exe
O4 - HKCU\..\Run: [5E028E5E] C:\WINDOWS\system32\tittivv.exe
O4 - HKCU\..\Run: [E1C55746] C:\WINDOWS\system32\svcfopol.exe
O4 - HKCU\..\Run: [95DF5DF3] C:\WINDOWS\system32\tmlnuqM47.exe
O4 - HKCU\..\Run: [8A8C40CB] C:\WINDOWS\system32\6tcnvica.exe
O4 - HKCU\..\Run: [DDCDA053] C:\WINDOWS\system32\C3APtrmond.exe
O4 - HKCU\..\Run: [88860EDE] C:\WINDOWS\system32\acdsmsrx2.exe
O4 - HKCU\..\Run: [D02298C3] C:\WINDOWS\system32\dsipcexx.exe
O4 - HKCU\..\Run: [D9B6D6C6] C:\WINDOWS\system32\aclph3d1.exe
O4 - HKCU\..\Run: [F11A0EE3] C:\WINDOWS\system32\3d2alib.exe
O4 - HKCU\..\Run: [B0869BFE] C:\WINDOWS\system32\extsvards.exe
O4 - HKCU\..\Run: [ECBB6DC3] C:\WINDOWS\system32\vcelcbmg.exe
O4 - HKCU\..\Run: [AB29B876] C:\WINDOWS\system32\d5adsliie.exe
O4 - HKCU\..\Run: [82AB44CE] C:\WINDOWS\system32\ldpcat.exe
O4 - HKCU\..\Run: [860CC04E] C:\WINDOWS\system32\ldpads.exe
O4 - HKCU\..\Run: [93D78DF6] C:\WINDOWS\system32\to4cnoace.exe
O4 - HKCU\..\Run: [B36F380E] C:\WINDOWS\system32\tivmfd.exe
O4 - HKCU\..\Run: [97DAC64E] C:\WINDOWS\system32\dvtivv.exe
O4 - HKCU\..\Run: [8FACD0F3] C:\WINDOWS\system32\troVSsseq.exe
O4 - HKCU\..\Run: [801AC243] C:\WINDOWS\system32\udiatm.exe
O4 - HKCU\..\Run: [5F1B79C6] C:\WINDOWS\system32\6to4i32.exe
O4 - HKCU\..\Run: [1A0FD2F6] C:\WINDOWS\system32\mog32.exe
O4 - HKCU\..\Run: [03980646] C:\WINDOWS\system32\vtmxvi.exe
O4 - HKCU\..\Run: [F3D89C86] C:\WINDOWS\system32\rxycnace.exe
O4 - HKCU\..\Run: [0B350C6E] C:\WINDOWS\system32\aaadext.exe
O4 - HKCU\..\Run: [E47B8D46] C:\WINDOWS\system32\dpfile.exe
O4 - HKCU\..\Run: [9F3108E3] C:\WINDOWS\system32\rorcdra.exe
O4 - HKCU\..\Run: [B1AC1AEE] C:\WINDOWS\system32\APdsn.exe
O4 - HKCU\..\Run: [500C8AE6] C:\WINDOWS\system32\rsetiti.exe
O4 - HKCU\..\Run: [91415F73] C:\WINDOWS\system32\tinetapes.exe
O4 - HKCU\..\Run: [BBFF98E6] C:\WINDOWS\system32\brofvieew.exe
O4 - HKCU\..\Run: [A9EE3FCB] C:\WINDOWS\system32\helpvip3.exe
O4 - HKCU\..\Run: [C38674D3] C:\WINDOWS\system32\lxxctpsss.exe
O4 - HKCU\..\Run: [E7124F8B] C:\WINDOWS\system32\sfeisxio.exe
O4 - HKCU\..\Run: [55CF5406] C:\WINDOWS\system32\compdi.exe
O4 - HKCU\..\Run: [8CC291E3] C:\WINDOWS\system32\C3APpcu.exe
O4 - HKCU\..\Run: [F2B3988B] C:\WINDOWS\system32\rx3atsem.exe
O4 - HKCU\..\Run: [9899B8E3] C:\WINDOWS\system32\dsncdfv.exe
O4 - HKCU\..\Run: [B16AC40E] C:\WINDOWS\system32\resldp.exe
O4 - HKCU\..\Run: [8CB79CF6] C:\WINDOWS\system32\dvavm.exe
O4 - HKCU\..\Run: [D77B0943] C:\WINDOWS\system32\tvirow.exe
O4 - HKCU\..\Run: [416B8E06] C:\WINDOWS\system32\acllui.exe
O4 - HKCU\..\Run: [C7C5B806] C:\WINDOWS\system32\tiatgn.exe
O4 - HKCU\..\Run: [A0DA0B5B] C:\WINDOWS\system32\kctrtex.exe
O4 - HKCU\..\Run: [8C5FD676] C:\WINDOWS\system32\sfsvw.exe
O4 - HKCU\..\Run: [CB921566] C:\WINDOWS\system32\ctti2cdrt.exe
O4 - HKCU\..\Run: [CDCCBC56] C:\WINDOWS\system32\vvaxaptiodm.exe
O4 - HKCU\..\Run: [1BD71D66] C:\WINDOWS\system32\pphetml.exe
O4 - HKCU\..\Run: [A7EA3946] C:\WINDOWS\system32\d5troldi.exe
O4 - HKCU\..\Run: [10730E86] C:\WINDOWS\system32\aalrsv.exe
O4 - HKCU\..\Run: [42387866] C:\WINDOWS\system32\dosydui3d8.exe
O4 - HKCU\..\Run: [B6E00EE3] C:\WINDOWS\system32\edti2efa.exe
O4 - HKCU\..\Run: [93DC464E] C:\WINDOWS\system32\6tti2e.exe
O4 - HKCU\..\Run: [8C2D35EE] C:\WINDOWS\system32\dvileat.exe
O4 - HKCU\..\Run: [54E414CE] C:\WINDOWS\system32\edidpeam.exe
O4 - HKCU\..\Run: [B912486E] C:\WINDOWS\system32\ctisntlrs.exe
O4 - HKCU\..\Run: [C23331C6] C:\WINDOWS\system32\dpctiatm.exe
O4 - HKCU\..\Run: [836E9303] C:\WINDOWS\system32\couidnet.exe
O4 - HKCU\..\Run: [58C3916E] C:\WINDOWS\system32\aaadrse.exe
O4 - HKCU\..\Run: [8CB99C76] C:\WINDOWS\system32\dvaro.exe
O4 - HKCU\..\Run: [A3179A66] C:\WINDOWS\system32\cldmpatif.exe
O4 - HKCU\..\Run: [B00E11C6] C:\WINDOWS\system32\elccio.exe
O4 - HKCU\..\Run: [DB60FEDB] C:\WINDOWS\system32\C3xprmd.exe
O4 - HKCU\..\Run: [CEDDBB0E] C:\WINDOWS\system32\i32ambatm.exe
O4 - HKCU\..\Run: [92A00EE3] C:\WINDOWS\system32\cluiliser.exe
O4 - HKCU\..\Run: [1CAF9656] C:\WINDOWS\system32\d53nd2dva.exe
O4 - HKCU\..\Run: [CF83C1C6] C:\WINDOWS\system32\advdptilxx.exe
O4 - HKCU\..\Run: [4FD4FC66] C:\WINDOWS\system32\dwnetk3.exe
O4 - HKCU\..\Run: [A8B57C4B] C:\WINDOWS\system32\tviptsvi.exe
O4 - HKCU\..\Run: [9B0D6246] C:\WINDOWS\system32\dspllti2.exe
O4 - HKCU\..\Run: [9CB8DB03] C:\WINDOWS\system32\odbtvofil3.exe
O4 - HKCU\..\Run: [D6271403] C:\WINDOWS\system32\tivieend.exe
O4 - HKCU\..\Run: [9083076E] C:\WINDOWS\system32\pawhbid.exe
O4 - HKCU\..\Run: [DB7AAF66] C:\WINDOWS\system32\ertivic.exe
O4 - HKCU\..\Run: [DA34C9E6] C:\WINDOWS\system32\amTIDat.exe
O4 - HKCU\..\Run: [D021EC83] C:\WINDOWS\system32\ctrrovceng.exe
O4 - HKCU\..\Run: [E599410E] C:\WINDOWS\system32\2evxii.exe
O4 - HKCU\..\Run: [C30CC6C6] C:\WINDOWS\system32\edadsn.exe
O4 - HKCU\..\Run: [FE91B0CB] C:\WINDOWS\system32\53ndpvut.exe
O4 - HKCU\..\Run: [B8BA31F3] C:\WINDOWS\system32\axxitobxof.exe
O4 - HKCU\..\Run: [9934C063] C:\WINDOWS\system32\vgwsecd.exe
O4 - HKCU\..\Run: [0B359866] C:\WINDOWS\system32\uaitext.exe
O4 - HKCU\..\Run: [AA60E5E6] C:\WINDOWS\system32\omrnput.exe
O4 - HKCU\..\Run: [AD00546B] C:\WINDOWS\system32\teobjrt.exe
O4 - HKCU\..\Run: [8CAE5C76] C:\WINDOWS\system32\dvbro.exe
O4 - HKCU\..\Run: [D083EEE3] C:\WINDOWS\system32\wsewapt.exe
O4 - HKCU\..\Run: [A9AD577E] C:\WINDOWS\system32\padin.exe
O4 - HKCU\..\Run: [8EAE9BFB] C:\WINDOWS\system32\vplbasads.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://C:\counter.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 6Q'8) - Unknown owner - C:\WINDOWS\system32\sdkzu.exe" /s (file missing)

now close all windows and browsers and click FIX CHECKED

Then boot up in SAFE MODE

navigate to and delete the following files :-

C:\WINDOWS\System32\gcdef.exe << This file
C:\WINDOWS\System32\tibs5.exe << This file
C:\WINDOWS\System32\tibs3.exe << This file


now boot up NORMALLY


Download About:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Make sure you close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.


Could you please download DelDomains.zip and unzip it to your desktop.

Right click the DelDomains.inf file inside and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute then reboot your PC and post a fresh Hijack This log.


run two online virus scans from any of the following locations and post a summary of their findings in your next reply.

http://www.ravantivirus.com/scan/ - RAV
http://www.pandasoftware.com/activescan/ - Panda
http://www.bitdefender.com/scan/licence.php - BitDefender
http://security.symantec.com/sscv6/default...id=ie&venid=sym - Symantec




then reboot and post a fresh Hijackthis log.

#3 chucker07

chucker07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 14 March 2005 - 06:44 PM

HJT log after installing DelDomains.inf

Logfile of HijackThis v1.99.1
Scan saved at 6:40:53 PM, on 3/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ipjc.exe
C:\WINDOWS\d3ba32.exe
C:\Documents and Settings\Charles Butler\Desktop\Downloads\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B56233F4-AAE8-569E-8370-CAB92BF74D19} - C:\WINDOWS\system32\msyi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ipjc.exe] C:\WINDOWS\system32\ipjc.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.neveron.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://chat.goarmy.com:8563/Java/cfs40301.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/c...t/LocalExec.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100405361531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\d3ba32.exe" /s (file missing)

#4 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 14 March 2005 - 07:14 PM

Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)

Firstly can you run "about buster" again.


Put a checkmark next to the following entries in HijackThis. .


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nwuna.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ipjc.exe] C:\WINDOWS\system32\ipjc.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.neveron.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\d3ba32.exe" /s (file missing)


Make sure all
other windows and browsers are closed before clicking on Fix Checked



Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\msyi.dll

It is the 02 BHO entry with no description, in case it has changed names. It is not tied to any program you recognize.

currently it is :-O2 - BHO: (no name) - {B56233F4-AAE8-569E-8370-CAB92BF74D19} - C:\WINDOWS\system32\msyi.dll


Select Unload DLL, and click OK on the prompts that follow.



Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Network Security Service'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.


Could you please download DelDomains.zip and unzip it to your desktop.

Right click the DelDomains.inf file inside and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute to do it's stuff.


Then boot up in SAFE MODE


then go to C:\WINDOWS\system32 and delete ipjc.exe


then reboot and post a fresh Hijackthis log.

#5 chucker07

chucker07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 14 March 2005 - 07:23 PM

BitDefender summary

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>related.htm: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip=>RELATED.HTM: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch4.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch5.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch6.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch7.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch8.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz.zip=>multimpp.inf: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz1.zip=>multimpp.dll: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz4.zip=>multimpp.dll: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CallingHomebiz4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAboutblank.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAboutblank.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAboutblank1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAboutblank1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow1.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow2.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow3.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow4.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow5.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow6.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow7.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow8.zip=>Search the web.url: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffWinshow8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchLeftovers.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService.zip=>winyj32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService1.zip=>winai.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService10.zip=>javaqs.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService10.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService11.zip=>javabm32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService11.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService12.zip=>ipds.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService12.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService13.zip=>ipas32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService13.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService14.zip=>apprf32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService14.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService15.zip=>addtl.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService15.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService16.zip=>addlq32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService16.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService17.zip=>syssz.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService17.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService18.zip=>sysai32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService18.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService19.zip=>sdklw.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService19.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService2.zip=>sysaf32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService20.zip=>sdkbp.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService20.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService21.zip=>mssp32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService21.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService22.zip=>mscl.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService22.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService23.zip=>mfclw.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService23.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService24.zip=>javatu32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService24.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService25.zip=>ield32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService25.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService26.zip=>iehn.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService26.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService27.zip=>d3rk.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService27.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService28.zip=>crrq32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService28.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService29.zip=>atllr32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService29.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService3.zip=>sdkwy.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService30.zip=>atlfk.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService30.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService4.zip=>sdkkg32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService5.zip=>sdkdl.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService6.zip=>ntnu.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService7.zip=>mfcud.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService8.zip=>mfchp.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService9.zip=>mfcba32.exe: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchService9.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc1.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc10.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc10.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc11.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc11.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc12.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc12.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc13.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc13.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc14.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc14.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc15.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc15.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc16.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc16.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc2.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc3.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc4.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc5.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc6.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc7.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc8.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc9.zip=>favico.dat: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchWinProc9.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit10.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit10.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit100.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit100.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit101.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit101.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit102.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit102.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit103.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit103.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit104.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit104.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit105.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit105.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit106.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit106.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit107.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit107.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit108.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit108.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit109.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit109.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit11.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit11.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit12.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit12.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit13.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit13.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit14.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit14.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit15.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit15.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit16.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit16.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit17.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit17.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit18.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit18.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit19.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit19.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit20.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit20.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit21.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit21.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit22.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit22.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit23.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit23.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit24.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit24.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit25.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit25.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit26.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit26.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit27.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit27.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit28.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit28.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit29.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit29.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit30.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit30.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit31.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit31.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit32.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit32.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit33.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit33.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit34.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit34.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit35.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit35.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit36.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit36.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit37.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit37.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit38.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit38.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit39.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit39.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit40.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit40.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit41.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit41.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit42.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit42.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit43.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit43.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit44.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit44.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit45.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit45.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit46.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit46.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit47.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit47.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit48.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit48.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit49.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit49.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit5.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit5.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit50.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit50.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit51.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit51.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit52.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit52.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit53.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit53.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit54.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit54.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit55.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit55.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit56.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit56.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit57.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit57.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit58.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit58.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit59.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit59.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit6.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit6.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit60.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit60.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit61.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit61.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit62.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit62.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit63.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit63.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit64.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit64.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit65.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit65.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit66.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit66.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit67.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit67.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit68.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit68.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit69.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit69.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit7.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit7.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit70.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit70.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit71.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit71.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit72.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit72.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit73.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit73.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit74.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit74.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit75.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit75.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit76.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit76.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit77.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit77.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit78.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit78.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit79.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit79.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit8.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit8.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit80.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit80.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit81.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit81.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit82.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit82.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit83.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit83.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit84.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit84.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit85.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit85.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit86.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit86.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit87.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit

#6 chucker07

chucker07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 15 March 2005 - 08:59 PM

-APM downloaded
-About Buster run
-C:\WINDOWS\System32\msyi.dll not found
-Network Security Service not found
-Booted in SAFE MODE
-ipjc.exe not found

Logfile of HijackThis v1.99.1
Scan saved at 8:53:05 PM, on 3/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ipjc.exe
C:\WINDOWS\d3ba32.exe
C:\Documents and Settings\Charles Butler\Desktop\Downloads\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ipjc.exe] C:\WINDOWS\system32\ipjc.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://chat.goarmy.com:8563/Java/cfs40301.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/c...t/LocalExec.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100405361531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\d3ba32.exe" /s (file missing)

#7 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 16 March 2005 - 05:58 AM

Rerun HJT,and put a tick beside these :-


O4 - HKLM\..\Run: [ipjc.exe] C:\WINDOWS\system32\ipjc.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O23 - Service: Workstation NetLogon Service ( 6Q'8) - Unknown owner - C:\WINDOWS\d3ba32.exe" /s (file missing)

now close all windows and browsers and click FIX CHECKED


you need to show hidden files :-

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Then boot up in SAFE MODE


navigate to and delete these files :-

C:\WINDOWS\System32\spoolsrv32.exe << This file
C:\WINDOWS\system32\ipjc.exe << This file
C:\WINDOWS\d3ba32.exe << This file


reboot normally


Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Network Security Service'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.



then reboot and post a fresh Hijackthis log.

#8 chucker07

chucker07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 19 March 2005 - 08:49 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:47:33 PM, on 3/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ieqe.exe
C:\WINDOWS\atlgp32.exe
C:\Documents and Settings\Charles Butler\Desktop\Downloads\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BA5E08BD-E47C-5D05-ADCC-79F69B02D7DB} - C:\WINDOWS\system32\appbb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ieqe.exe] C:\WINDOWS\system32\ieqe.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://chat.goarmy.com:8563/Java/cfs40301.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/c...t/LocalExec.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100405361531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\atlgp32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

#9 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 20 March 2005 - 02:00 PM

Download About:Buster from either of the following locations.

http://www.atribune.org/downloads/AboutBuster.zip
or
http://tools.zerosrealm.com/AboutBuster.zip

Make sure you close ALL Internet Explorer windows. This is a very important step!!

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

ABOUT BUSTER TUTORIAL


Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)


Put a checkmark next to the following entries in HijackThis.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yrlne.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ieqe.exe] C:\WINDOWS\system32\ieqe.exe
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\atlgp32.exe


Make sure all windows and browsers are closed before clicking on Fix Checked.


Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick C:\WINDOWS\System32\appbb.dll

It is the 02 BHO entry with no description, in case it has changed names. It is not tied to any program you recognize.

currently it is :-O2 - BHO: (no name) - {BA5E08BD-E47C-5D05-ADCC-79F69B02D7DB} - C:\WINDOWS\system32\appbb.dll

Select Unload DLL, and click OK on the prompts that follow.



Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Network Security Service'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.


Then boot up in SAFE MODE

Then go to C:\WINDOWS\system32\ and delete ieqe.exe

then go to C:\WINDOWS\ and delete atlgp32.exe



then reboot and post a fresh Hijackthis log.

Edited by bricat, 20 March 2005 - 02:01 PM.


#10 chucker07

chucker07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 20 March 2005 - 02:43 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:41:54 PM, on 3/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mfclb32.exe
C:\WINDOWS\msbj.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Documents and Settings\Charles Butler\Desktop\Downloads\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BA5E08BD-E47C-5D05-ADCC-79F69B02D7DB} - C:\WINDOWS\system32\appbb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [msbj.exe] C:\WINDOWS\msbj.exe
O4 - HKLM\..\RunOnce: [mfclb32.exe] C:\WINDOWS\mfclb32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://chat.goarmy.com:8563/Java/cfs40301.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - http://portal.uga.edu/nps/portal/gadgets/c...t/LocalExec.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100405361531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\atlgp32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

#11 bricat

bricat

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 20 March 2005 - 02:48 PM

Follow this link to download ServiceFilter:

ServiceFilter download

Unzip the content to a folder, such as c:\ServiceFilter.

Navigate to c:\ServiceFilter folder and (double)click the ServiceFilter.vbs file.

If you have a script blocking program you will get a warning asking if you want to allow ServiceFilter.vbs to run. Allow the script to run.

Follow the instructions on the screen and WordPad will open.

In WordPad click
Edit menu --> Select All
then
Edit menu --> Copy

Right click in the message area and click on the paste option to paste the log into your next post.

#12 chucker07

chucker07
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 14 May 2005 - 01:59 PM

Sorry for the delay. I've extremely busy lately. My brother in-law was in town and helped to get my computer back in form. Thanks for all the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users