Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pop-up hell


  • This topic is locked This topic is locked
4 replies to this topic

#1 dailymark

dailymark

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 06 April 2005 - 09:49 PM

I am computing in adware hell. I have run Spybot and Ad Aware SE.

Here is my HJT and AdAware logs. Can anyone help?


Ad-Aware SE Build 1.05
Logfile Created on:Wednesday, April 06, 2005 9:36:35 PM
Using definitions file:SE1R36 01.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ebates MoneyMaker(TAC index:4):7 total references
MRU List(TAC index:0):13 total references
Tracking Cookie(TAC index:3):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


4-6-2005 9:36:35 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\office\8.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\office\8.0\excel\recent file list
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2284308411-2865305535-977358603-1007\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Documents and Settings\Mark Cantarella\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 568
ThreadCreationTime : 4-7-2005 12:24:24 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 632
ThreadCreationTime : 4-7-2005 12:24:25 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 656
ThreadCreationTime : 4-7-2005 12:24:26 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 700
ThreadCreationTime : 4-7-2005 12:24:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 712
ThreadCreationTime : 4-7-2005 12:24:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 892
ThreadCreationTime : 4-7-2005 12:24:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 976
ThreadCreationTime : 4-7-2005 12:24:27 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1084
ThreadCreationTime : 4-7-2005 12:24:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1108
ThreadCreationTime : 4-7-2005 12:24:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1448
ThreadCreationTime : 4-7-2005 12:24:30 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1464
ThreadCreationTime : 4-7-2005 12:24:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1664
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 3.0.0.3762
ProductVersion : 7.0.0.3762
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE

#:13 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_03\bin\
ProcessID : 1672
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal


#:14 [pcmservice.exe]
FilePath : C:\Program Files\Dell\Media Experience\
ProcessID : 1680
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 1.0.1611
ProductVersion : 1.0.1611
ProductName : PCM2Launcher Application
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
LegalCopyright : Copyright c 2003 CyberLink Corp.
OriginalFilename : PCM2Launcher.EXE

#:15 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 1688
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 1.04.07b
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
LegalCopyright : Copyright © 2004 Sonic Solutions

#:16 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1704
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:17 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
ProcessID : 1720
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
LegalCopyright : TODO: © <Company name>. All rights reserved.
OriginalFilename : mmtask.exe

#:18 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\Musicmatch Jukebox\
ProcessID : 1728
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 8.20.2051
ProductVersion : 8.20.2051
ProductName : Musicmatch JUKEBOX
CompanyName : Musicmatch, Inc.
FileDescription : mm_tray
InternalName : mm_tray
LegalCopyright : Copyright © Musicmatch 1998-2004
LegalTrademarks :
OriginalFilename : mm_tray.exe

#:19 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ProcessID : 1736
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 2, 1, 1, 0
ProductVersion : 1, 0, 0, 1
ProductName : Dell Support
CompanyName : Dell
FileDescription : Support
InternalName : Support
LegalCopyright : Copyright © 2002
OriginalFilename : Support.exe

#:20 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ProcessID : 1744
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:21 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1752
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:22 [itouch.exe]
FilePath : C:\Program Files\Logitech\iTouch\
ProcessID : 1768
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 2.22.289
ProductVersion : 2.22.289
ProductName : iTouch
CompanyName : Logitech Inc.
FileDescription : iTouch Application
InternalName : iTouch
LegalCopyright : © 1998-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and iTouch® are registered trademarks of Logitech Inc.
OriginalFilename : iTouch.exe
Comments : Created by the iTouch team

#:23 [aoldial.exe]
FilePath : C:\Program Files\Common Files\AOL\ACS\
ProcessID : 1776
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 3.0.0.1
ProductVersion : 3.0.0.1
ProductName : AOL Connectivity Service
CompanyName : America Online
FileDescription : AOL Connectivity Service Dialer
InternalName : AOLdial
LegalCopyright : Copyright © 2004 America Online
OriginalFilename : AOLdial.exe

#:24 [aolsp scheduler.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\
ProcessID : 1784
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 78
ProductVersion : 1, 0, 0, 78
ProductName : AOLSP Scheduler
FileDescription : AOLSP Scheduler
InternalName : AOLSP Scheduler
LegalCopyright : Copyright © America Online, Inc. 2004
OriginalFilename : AOLSP Scheduler.exe

#:25 [?canregw.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1840
ThreadCreationTime : 4-7-2005 12:24:35 AM
BasePriority : Normal


#:26 [dlg.exe]
FilePath : C:\Program Files\Digital Line Detect\
ProcessID : 1884
ThreadCreationTime : 4-7-2005 12:24:36 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : BVRP Software TestLine
CompanyName : BVRP Software
FileDescription : Digital Line Detection
InternalName : TestLine
LegalCopyright : Copyright © 2003
OriginalFilename : TestLine.exe

#:27 [hpotdd01.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 1896
ThreadCreationTime : 4-7-2005 12:24:36 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:28 [osa.exe]
FilePath : C:\Program Files\Microsoft Office\Office\
ProcessID : 1940
ThreadCreationTime : 4-7-2005 12:24:36 AM
BasePriority : Normal


#:29 [hposol08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2016
ThreadCreationTime : 4-7-2005 12:24:38 AM
BasePriority : Normal
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOSOL08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSOL08.EXE
Comments : HP OfficeJet <Solar> Series COM Device Objects

#:30 [notifyalert.exe]
FilePath : c:\Program Files\Dell\Support\Alert\bin\
ProcessID : 144
ThreadCreationTime : 4-7-2005 12:24:40 AM
BasePriority : Normal


#:31 [hotsync.exe]
FilePath : C:\Program Files\Sony Handheld\
ProcessID : 164
ThreadCreationTime : 4-7-2005 12:24:40 AM
BasePriority : Normal
FileVersion : 4.0.4
ProductVersion : 4.1.0
ProductName : HotSync® Manager, Palm Desktop
CompanyName : Palm, Inc.
FileDescription : HotSync® Manager Application
InternalName : HotSync®
LegalCopyright : Copyright © 1995-2001 Palm, Inc.
LegalTrademarks : HotSync® is a registered trademark of Palm, Inc.
OriginalFilename : Hotsync.exe

#:32 [aolhos~1.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\110414~1\EE\
ProcessID : 428
ThreadCreationTime : 4-7-2005 12:24:46 AM
BasePriority : Normal
FileVersion : 1.0.0.6
ProductVersion : 1.0.0.6
ProductName : AOL Service Libraries
CompanyName : America Online, Inc.
FileDescription : AOLHostManager Service
InternalName : AOLHostManager
LegalCopyright : © 2004 America Online, Inc.
OriginalFilename : AOLHostManager.exe

#:33 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ProcessID : 464
ThreadCreationTime : 4-7-2005 12:24:47 AM
BasePriority : Normal
FileVersion : 9.79.025
ProductVersion : 9.79.025
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : © 1987-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:34 [aolservicehost.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\110414~1\EE\
ProcessID : 1956
ThreadCreationTime : 4-7-2005 12:24:52 AM
BasePriority : Normal
FileVersion : 1.0.0.6
ProductVersion : 1.0.0.6
ProductName : AOL Service Libraries
CompanyName : America Online, Inc.
FileDescription : AOLServiceHost Service
InternalName : AOLServiceHost
LegalCopyright : © 2004 America Online, Inc.
OriginalFilename : AOLServiceHost.exe

#:35 [aolacsd.exe]
FilePath : C:\Program Files\Common Files\AOL\ACS\
ProcessID : 1392
ThreadCreationTime : 4-7-2005 12:24:57 AM
BasePriority : Normal
FileVersion : 3.0.0.1
ProductVersion : 3.0.0.1
ProductName : AOL Connectivity Service
CompanyName : America Online
FileDescription : AOL Connectivity Service
InternalName : AOLacsd
LegalCopyright : Copyright © 2004 America Online
OriginalFilename : AOLacsd.exe

#:36 [hpoevm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2136
ThreadCreationTime : 4-7-2005 12:25:01 AM
BasePriority : Normal
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:37 [aoltsmon.exe]
FilePath : C:\Program Files\Common Files\AOL\TopSpeed\2.0\
ProcessID : 2804
ThreadCreationTime : 4-7-2005 12:25:39 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
ProductName : AOL TopSpeed™ Monitor
CompanyName : America Online, Inc
FileDescription : AOL TopSpeed™ Monitor
InternalName : AOL TopSpeed™ Monitor
LegalCopyright : Copyright © 2004 America Online, Inc.
OriginalFilename : aoltsmon.exe

#:38 [ccproxy.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2824
ThreadCreationTime : 4-7-2005 12:25:40 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:39 [aoltpspd.exe]
FilePath : C:\Program Files\Common Files\AOL\TopSpeed\2.0\
ProcessID : 2832
ThreadCreationTime : 4-7-2005 12:25:40 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
ProductName : AOL TopSpeed™
CompanyName : America Online Inc
FileDescription : AOL TopSpeed™
InternalName : AOL TopSpeed™ Loader
LegalCopyright : Copyright © 2003-2004
LegalTrademarks : AOL TopSpeed™
OriginalFilename : aoltpspd.exe

#:40 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2848
ThreadCreationTime : 4-7-2005 12:25:40 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:41 [navapsvc.exe]
FilePath : C:\Program Files\Norton Internet Security\Norton AntiVirus\
ProcessID : 2892
ThreadCreationTime : 4-7-2005 12:25:40 AM
BasePriority : Normal
FileVersion : 10.00.2
ProductVersion : 10.00.2
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright © 2003 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:42 [riomsc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2952
ThreadCreationTime : 4-7-2005 12:25:41 AM
BasePriority : Normal
FileVersion : 2.90 build 15
ProductVersion : 2.90 build 15
ProductName : Rio Mass Storage Class Device Manager
CompanyName : Digital Networks North America, Inc.
FileDescription : Rio Mass Storage Class Device Manager
InternalName : RioMSC
LegalCopyright : © 2003-2004 Digital Networks North America, Inc.
OriginalFilename : RioMSC.EXE
Comments : http://www.rioaudio.com/

#:43 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 3160
ThreadCreationTime : 4-7-2005 12:25:45 AM
BasePriority : Normal
FileVersion : 5.4.4.17
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:44 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3216
ThreadCreationTime : 4-7-2005 12:25:45 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:45 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 3312
ThreadCreationTime : 4-7-2005 12:25:46 AM
BasePriority : Normal
FileVersion : 2.1.6.3
ProductVersion : 2.1.6.3
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:46 [hposts08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\
ProcessID : 600
ThreadCreationTime : 4-7-2005 12:25:59 AM
BasePriority : Normal
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:47 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 2496
ThreadCreationTime : 4-7-2005 12:26:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:48 [tmp5c.tmp]
FilePath : C:\DOCUME~1\MARKCA~1\LOCALS~1\Temp\
ProcessID : 2080
ThreadCreationTime : 4-7-2005 12:27:14 AM
BasePriority : Normal


#:49 [open32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2616
ThreadCreationTime : 4-7-2005 12:27:19 AM
BasePriority : Normal


#:50 [winsvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2680
ThreadCreationTime : 4-7-2005 12:27:43 AM
BasePriority : Normal


#:51 [waol.exe]
FilePath : C:\Program Files\America Online 9.0a\
ProcessID : 1040
ThreadCreationTime : 4-7-2005 1:35:47 AM
BasePriority : Idle


#:52 [shellmon.exe]
FilePath : C:\Program Files\America Online 9.0a\
ProcessID : 1616
ThreadCreationTime : 4-7-2005 1:35:54 AM
BasePriority : Idle


#:53 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Plus\
ProcessID : 604
ThreadCreationTime : 4-7-2005 1:36:27 AM
BasePriority : Normal
FileVersion : 6.2.0.207
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-2284308411-2865305535-977358603-1007\software\lq
Value : AC

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 14


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mark cantarella@revenue[2].txt
Category : Data Miner
Comment : Hits:23
Value : Cookie:mark cantarella@revenue.net/
Expires : 6-10-2022 1:05:42 AM
LastSync : Hits:23
UseCount : 0
Hits : 23

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mark cantarella@2o7[2].txt
Category : Data Miner
Comment : Hits:10
Value : Cookie:mark cantarella@2o7.net/
Expires : 4-5-2010 9:33:12 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mark cantarella@z1.adserver[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:mark cantarella@z1.adserver.com/
Expires : 4-6-2006 9:06:18 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mark cantarella@tribalfusion[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:mark cantarella@tribalfusion.com/
Expires : 12-31-2037 8:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mark cantarella@as-eu.falkag[1].txt
Category : Data Miner
Comment : Hits:7
Value : Cookie:mark cantarella@as-eu.falkag.net/
Expires : 4-6-2006 9:15:00 PM
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mark cantarella@zedo[2].txt
Category : Data Miner
Comment : Hits:6
Value : Cookie:mark cantarella@zedo.com/
Expires : 4-4-2015 9:17:16 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 20



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 20




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 26

9:44:07 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:07:32.703
Objects scanned:123696
Objects identified:13
Objects ignored:0
New critical objects:13

Logfile of HijackThis v1.99.1
Scan saved at 9:36:02 PM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\?canregw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\PROGRA~1\COMMON~1\AOL\110414~1\EE\AOLHOS~1.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\COMMON~1\AOL\110414~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RioMSC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\DOCUME~1\MARKCA~1\LOCALS~1\Temp\tmp5C.tmp
C:\WINDOWS\System32\open32.exe
C:\WINDOWS\System32\winsvc.exe
C:\Desktop\HijackThis.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\MARKCA~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://visualtracking.symantec.com/default...=83.213.136.191
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {7384CA03-23B1-0F63-C579-0E150612E09A} - C:\WINDOWS\System32\eejed.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104143061\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [s3rk3me] lmrstore.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [fujup] C:\WINDOWS\fujup.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitezxn32.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Bas] C:\WINDOWS\System32\Kqu.exe
O4 - HKLM\..\Run: [Hdr] C:\WINDOWS\System32\Amq.exe
O4 - HKLM\..\Run: [Pho] C:\WINDOWS\Cqt.exe
O4 - HKLM\..\Run: [Fvu] C:\WINDOWS\System32\Vgg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\WINDOWS\System32\eetu.exe
O4 - HKCU\..\Run: [Yewsvfwp] C:\WINDOWS\System32\?canregw.exe
O4 - HKCU\..\Run: [Ejl] C:\WINDOWS\Ajj.exe
O4 - HKCU\..\Run: [d00qRgK8e] kdcnls.exe
O4 - HKCU\..\Run: [Aen] C:\WINDOWS\Iag.exe
O4 - HKCU\..\Run: [Dlq] C:\WINDOWS\Ves.exe
O4 - HKCU\..\Run: [Gef] C:\WINDOWS\Eri.exe
O4 - HKCU\..\Run: [Cen] C:\WINDOWS\System32\Keg.exe
O4 - HKCU\..\Run: [Qeh] C:\WINDOWS\System32\Fam.exe
O4 - HKCU\..\Run: [Ggk] C:\WINDOWS\System32\Qgq.exe
O4 - HKCU\..\Run: [Qnl] C:\WINDOWS\System32\Nns.exe
O4 - HKCU\..\Run: [Pdq] C:\WINDOWS\Vsh.exe
O4 - HKCU\..\Run: [Hma] C:\WINDOWS\System32\Tou.exe
O4 - HKCU\..\Run: [Nsd] C:\WINDOWS\Vdf.exe
O4 - HKCU\..\Run: [Sdm] C:\WINDOWS\Nfo.exe
O4 - HKCU\..\Run: [Ihn] C:\WINDOWS\Ipp.exe
O4 - HKCU\..\Run: [Ult] C:\WINDOWS\System32\Ucb.exe
O4 - HKCU\..\Run: [Tms] C:\WINDOWS\Nsb.exe
O4 - HKCU\..\Run: [Cla] C:\WINDOWS\System32\Fhj.exe
O4 - HKCU\..\Run: [Ess] C:\WINDOWS\Btn.exe
O4 - HKCU\..\Run: [Qal] C:\WINDOWS\System32\Icc.exe
O4 - HKCU\..\Run: [Sup] C:\WINDOWS\System32\Prt.exe
O4 - HKCU\..\Run: [Drm] C:\WINDOWS\Ruj.exe
O4 - HKCU\..\Run: [Nvi] C:\WINDOWS\Lsc.exe
O4 - HKCU\..\Run: [Ngj] C:\WINDOWS\Npc.exe
O4 - HKCU\..\Run: [Oqm] C:\WINDOWS\System32\Ibi.exe
O4 - HKCU\..\Run: [Hbe] C:\WINDOWS\System32\Dvp.exe
O4 - HKCU\..\Run: [Jkh] C:\WINDOWS\System32\Jrk.exe
O4 - HKCU\..\Run: [Ova] C:\WINDOWS\System32\Rbk.exe
O4 - HKCU\..\Run: [Drl] C:\WINDOWS\Vod.exe
O4 - HKCU\..\Run: [Udb] C:\WINDOWS\System32\Kpt.exe
O4 - HKCU\..\Run: [Bld] C:\WINDOWS\System32\Fgg.exe
O4 - HKCU\..\Run: [Fbq] C:\WINDOWS\Ujn.exe
O4 - HKCU\..\Run: [Tjs] C:\WINDOWS\System32\Hak.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [Bas] C:\WINDOWS\System32\Kqu.exe
O4 - HKCU\..\Run: [Hdr] C:\WINDOWS\System32\Amq.exe
O4 - HKCU\..\Run: [Pho] C:\WINDOWS\Cqt.exe
O4 - HKCU\..\Run: [Fvu] C:\WINDOWS\System32\Vgg.exe
O4 - Startup: datBED1.tmp
O4 - Startup: datBED2.tmp
O4 - Startup: datBED3.tmp
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: winupdate25074547[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CA07C74F-1788-45C2-8323-678635629972} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA07C74F-1788-45C2-8323-678635629972} - (no file) (HKCU)
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c18.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://horse-active.net/ang/loader2.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O21 - SSODL: NTDBGTOOL - {F4CCA6DF-48F8-49AB-8701-2511440E6898} - C:\WINDOWS\System32\sbeitdde.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:09 PM

Posted 07 April 2005 - 02:36 PM

Hello dailymark and welcome to BleepingComputer.

I am computing in adware hell.

I can believe that :thumbsup:

You have a lot going on here - it will take a bit of work to get you cleaned out. Let's see if we can start to get it under control.


Open Control Panel then Add/Remove Programs. Look for the following and uninstall them if found:
Media Access

Configure Windows to enable viewing of Hidden and System files.

Download LQfix.zip
- Unzip it to your desktop, don't use it yet!!

Download the following file and save it to your desktop: http://www.mvps.org/winhelp2002/DelDomains.inf
- Don't use it yet.

Download HSFix from here
-After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
A log will be produced which you can close out of for now.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\MARKCA~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {7384CA03-23B1-0F63-C579-0E150612E09A} - C:\WINDOWS\System32\eejed.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitezxn32.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c18.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://horse-active.net/ang/loader2.ocx

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HJT.


Doubleclick on LQFix.bat. A doswindow will open and close again.. that is normal.

Right-click on the deldomains.inf file and select 'Install'.


Reboot back into normal mode.

Locate the HSFix log which should be C:\hslog.txt. Open this text file, and copy the contents into your next post.
Rescan and post a new HijackThis log as well. There will be more to do.
Derfram
~~~~~~

#3 dailymark

dailymark
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 07 April 2005 - 09:53 PM

thanks.

Here are the logs. But, I have another problem that I was unaware of. I cannot right click on the desktop or in explorer, so I was not able to install the deldomains file.

Here are the logs anyway.

Logfile of HijackThis v1.99.1
Scan saved at 10:49:24 PM, on 4/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\?canregw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\America Online 9.0a\waol.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\COMMON~1\AOL\110414~1\EE\AOLHOS~1.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\COMMON~1\AOL\110414~1\EE\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RioMSC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\winsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://visualtracking.symantec.com/default...=83.213.136.191
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104143061\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [s3rk3me] lmrstore.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [fujup] C:\WINDOWS\fujup.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Bas] C:\WINDOWS\System32\Kqu.exe
O4 - HKLM\..\Run: [Hdr] C:\WINDOWS\System32\Amq.exe
O4 - HKLM\..\Run: [Pho] C:\WINDOWS\Cqt.exe
O4 - HKLM\..\Run: [Fvu] C:\WINDOWS\System32\Vgg.exe
O4 - HKLM\..\Run: [Cbb] C:\WINDOWS\Eaa.exe
O4 - HKLM\..\Run: [Fuq] C:\WINDOWS\System32\Mct.exe
O4 - HKLM\..\Run: [Rmr] C:\WINDOWS\System32\Mrh.exe
O4 - HKLM\..\Run: [Ddq] C:\WINDOWS\System32\Qtp.exe
O4 - HKLM\..\Run: [Mcp] C:\WINDOWS\System32\Tdr.exe
O4 - HKLM\..\Run: [Pjl] C:\WINDOWS\Sfh.exe
O4 - HKLM\..\Run: [Kti] C:\WINDOWS\System32\Koc.exe
O4 - HKLM\..\Run: [Vcq] C:\WINDOWS\Gsi.exe
O4 - HKLM\..\Run: [Cld] C:\WINDOWS\System32\Mmb.exe
O4 - HKLM\..\Run: [Lpc] C:\WINDOWS\System32\Mmd.exe
O4 - HKLM\..\Run: [Ett] C:\WINDOWS\System32\Ikv.exe
O4 - HKLM\..\Run: [Mai] C:\WINDOWS\System32\Bkd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\WINDOWS\System32\eetu.exe
O4 - HKCU\..\Run: [Yewsvfwp] C:\WINDOWS\System32\?canregw.exe
O4 - HKCU\..\Run: [Ejl] C:\WINDOWS\Ajj.exe
O4 - HKCU\..\Run: [d00qRgK8e] kdcnls.exe
O4 - HKCU\..\Run: [Aen] C:\WINDOWS\Iag.exe
O4 - HKCU\..\Run: [Dlq] C:\WINDOWS\Ves.exe
O4 - HKCU\..\Run: [Gef] C:\WINDOWS\Eri.exe
O4 - HKCU\..\Run: [Cen] C:\WINDOWS\System32\Keg.exe
O4 - HKCU\..\Run: [Qeh] C:\WINDOWS\System32\Fam.exe
O4 - HKCU\..\Run: [Ggk] C:\WINDOWS\System32\Qgq.exe
O4 - HKCU\..\Run: [Qnl] C:\WINDOWS\System32\Nns.exe
O4 - HKCU\..\Run: [Pdq] C:\WINDOWS\Vsh.exe
O4 - HKCU\..\Run: [Hma] C:\WINDOWS\System32\Tou.exe
O4 - HKCU\..\Run: [Nsd] C:\WINDOWS\Vdf.exe
O4 - HKCU\..\Run: [Sdm] C:\WINDOWS\Nfo.exe
O4 - HKCU\..\Run: [Ihn] C:\WINDOWS\Ipp.exe
O4 - HKCU\..\Run: [Ult] C:\WINDOWS\System32\Ucb.exe
O4 - HKCU\..\Run: [Tms] C:\WINDOWS\Nsb.exe
O4 - HKCU\..\Run: [Cla] C:\WINDOWS\System32\Fhj.exe
O4 - HKCU\..\Run: [Ess] C:\WINDOWS\Btn.exe
O4 - HKCU\..\Run: [Qal] C:\WINDOWS\System32\Icc.exe
O4 - HKCU\..\Run: [Sup] C:\WINDOWS\System32\Prt.exe
O4 - HKCU\..\Run: [Drm] C:\WINDOWS\Ruj.exe
O4 - HKCU\..\Run: [Nvi] C:\WINDOWS\Lsc.exe
O4 - HKCU\..\Run: [Ngj] C:\WINDOWS\Npc.exe
O4 - HKCU\..\Run: [Oqm] C:\WINDOWS\System32\Ibi.exe
O4 - HKCU\..\Run: [Hbe] C:\WINDOWS\System32\Dvp.exe
O4 - HKCU\..\Run: [Jkh] C:\WINDOWS\System32\Jrk.exe
O4 - HKCU\..\Run: [Ova] C:\WINDOWS\System32\Rbk.exe
O4 - HKCU\..\Run: [Drl] C:\WINDOWS\Vod.exe
O4 - HKCU\..\Run: [Udb] C:\WINDOWS\System32\Kpt.exe
O4 - HKCU\..\Run: [Bld] C:\WINDOWS\System32\Fgg.exe
O4 - HKCU\..\Run: [Fbq] C:\WINDOWS\Ujn.exe
O4 - HKCU\..\Run: [Tjs] C:\WINDOWS\System32\Hak.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [Bas] C:\WINDOWS\System32\Kqu.exe
O4 - HKCU\..\Run: [Hdr] C:\WINDOWS\System32\Amq.exe
O4 - HKCU\..\Run: [Pho] C:\WINDOWS\Cqt.exe
O4 - HKCU\..\Run: [Fvu] C:\WINDOWS\System32\Vgg.exe
O4 - HKCU\..\Run: [Cbb] C:\WINDOWS\Eaa.exe
O4 - HKCU\..\Run: [Fuq] C:\WINDOWS\System32\Mct.exe
O4 - HKCU\..\Run: [Rmr] C:\WINDOWS\System32\Mrh.exe
O4 - HKCU\..\Run: [Ddq] C:\WINDOWS\System32\Qtp.exe
O4 - HKCU\..\Run: [Mcp] C:\WINDOWS\System32\Tdr.exe
O4 - HKCU\..\Run: [Pjl] C:\WINDOWS\Sfh.exe
O4 - HKCU\..\Run: [Kti] C:\WINDOWS\System32\Koc.exe
O4 - HKCU\..\Run: [Vcq] C:\WINDOWS\Gsi.exe
O4 - HKCU\..\Run: [Cld] C:\WINDOWS\System32\Mmb.exe
O4 - HKCU\..\Run: [Lpc] C:\WINDOWS\System32\Mmd.exe
O4 - HKCU\..\Run: [Ett] C:\WINDOWS\System32\Ikv.exe
O4 - HKCU\..\Run: [Mai] C:\WINDOWS\System32\Bkd.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CA07C74F-1788-45C2-8323-678635629972} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA07C74F-1788-45C2-8323-678635629972} - (no file) (HKCU)
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O21 - SSODL: NTDBGTOOL - {F4CCA6DF-48F8-49AB-8701-2511440E6898} - C:\WINDOWS\System32\sbeitdde.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
vdnt32
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

klo5
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
vdnt32.sys
klo5.sys
w32tm.exe
open32.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-
where to next?

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:09 PM

Posted 08 April 2005 - 12:21 AM

Configure Windows to enable viewing of Hidden and System files.


Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as deldomains.reg. Close Notepad.


Reopen Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

del /f C:\WINDOWS\System32\ap9h4qmo.exe
del /f C:\WINDOWS\lmrstore.exe
del /f C:\WINDOWS\System32\lmrstore.exe
del /f C:\WINDOWS\fujup.exe
del /f C:\WINDOWS\System32\Kqu.exe
del /f C:\WINDOWS\System32\Amq.exe
del /f C:\WINDOWS\Cqt.exe
del /f C:\WINDOWS\System32\Vgg.exe
del /f C:\WINDOWS\Eaa.exe
del /f C:\WINDOWS\System32\Mct.exe
del /f C:\WINDOWS\System32\Mrh.exe
del /f C:\WINDOWS\System32\Qtp.exe
del /f C:\WINDOWS\System32\Tdr.exe
del /f C:\WINDOWS\Sfh.exe
del /f C:\WINDOWS\System32\Koc.exe
del /f C:\WINDOWS\Gsi.exe
del /f C:\WINDOWS\System32\Mmb.exe
del /f C:\WINDOWS\System32\Mmd.exe
del /f C:\WINDOWS\System32\Ikv.exe
del /f C:\WINDOWS\System32\Bkd.exe
del /f C:\WINDOWS\System32\eetu.exe
del /f C:\WINDOWS\Ajj.exe
del /f C:\WINDOWS\kdcnls.exe
del /f C:\WINDOWS\System32\kdcnls.exe
del /f C:\WINDOWS\Iag.exe
del /f C:\WINDOWS\Ves.exe
del /f C:\WINDOWS\Eri.exe
del /f C:\WINDOWS\System32\Keg.exe
del /f C:\WINDOWS\System32\Fam.exe
del /f C:\WINDOWS\System32\Qgq.exe
del /f C:\WINDOWS\System32\Nns.exe
del /f C:\WINDOWS\Vsh.exe
del /f C:\WINDOWS\System32\Tou.exe
del /f C:\WINDOWS\Vdf.exe
del /f C:\WINDOWS\Nfo.exe
del /f C:\WINDOWS\Ipp.exe
del /f C:\WINDOWS\System32\Ucb.exe
del /f C:\WINDOWS\Nsb.exe
del /f C:\WINDOWS\System32\Fhj.exe
del /f C:\WINDOWS\Btn.exe
del /f C:\WINDOWS\System32\Icc.exe
del /f C:\WINDOWS\System32\Prt.exe
del /f C:\WINDOWS\Ruj.exe
del /f C:\WINDOWS\Lsc.exe
del /f C:\WINDOWS\Npc.exe
del /f C:\WINDOWS\System32\Ibi.exe
del /f C:\WINDOWS\System32\Dvp.exe
del /f C:\WINDOWS\System32\Jrk.exe
del /f C:\WINDOWS\System32\Rbk.exe
del /f C:\WINDOWS\Vod.exe
del /f C:\WINDOWS\System32\Kpt.exe
del /f C:\WINDOWS\System32\Fgg.exe
del /f C:\WINDOWS\Ujn.exe
del /f C:\WINDOWS\System32\Hak.exe
del /f C:\WINDOWS\System32\Kqu.exe
del /f C:\WINDOWS\System32\Amq.exe
del /f C:\WINDOWS\Cqt.exe
del /f C:\WINDOWS\System32\Vgg.exe
del /f C:\WINDOWS\Eaa.exe
del /f C:\WINDOWS\System32\Mct.exe
del /f C:\WINDOWS\System32\Mrh.exe
del /f C:\WINDOWS\System32\Qtp.exe
del /f C:\WINDOWS\System32\Tdr.exe
del /f C:\WINDOWS\Sfh.exe
del /f C:\WINDOWS\System32\Koc.exe
del /f C:\WINDOWS\Gsi.exe
del /f C:\WINDOWS\System32\Mmb.exe
del /f C:\WINDOWS\System32\Mmd.exe
del /f C:\WINDOWS\System32\Ikv.exe
del /f C:\WINDOWS\System32\Bkd.exe
del /f C:\WINDOWS\System32\wldr.dll
del /f C:\WINDOWS\System32\sbeitdde.dll
del /f C:\WINDOWS\System32\winsvc.exe
rd /s /q "C:\Program Files\Media Access"
rd /s /q "C:\Program Files\Security iGuard"

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as delfiles.bat. Close Notepad.


Reboot into Safe Mode

Find on your desktop and double-click on the deldomains.reg file. When it prompt if you would like to import/merge the data press the Yes button.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [s3rk3me] lmrstore.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [fujup] C:\WINDOWS\fujup.exe
O4 - HKLM\..\Run: [Bas] C:\WINDOWS\System32\Kqu.exe
O4 - HKLM\..\Run: [Hdr] C:\WINDOWS\System32\Amq.exe
O4 - HKLM\..\Run: [Pho] C:\WINDOWS\Cqt.exe
O4 - HKLM\..\Run: [Fvu] C:\WINDOWS\System32\Vgg.exe
O4 - HKLM\..\Run: [Cbb] C:\WINDOWS\Eaa.exe
O4 - HKLM\..\Run: [Fuq] C:\WINDOWS\System32\Mct.exe
O4 - HKLM\..\Run: [Rmr] C:\WINDOWS\System32\Mrh.exe
O4 - HKLM\..\Run: [Ddq] C:\WINDOWS\System32\Qtp.exe
O4 - HKLM\..\Run: [Mcp] C:\WINDOWS\System32\Tdr.exe
O4 - HKLM\..\Run: [Pjl] C:\WINDOWS\Sfh.exe
O4 - HKLM\..\Run: [Kti] C:\WINDOWS\System32\Koc.exe
O4 - HKLM\..\Run: [Vcq] C:\WINDOWS\Gsi.exe
O4 - HKLM\..\Run: [Cld] C:\WINDOWS\System32\Mmb.exe
O4 - HKLM\..\Run: [Lpc] C:\WINDOWS\System32\Mmd.exe
O4 - HKLM\..\Run: [Ett] C:\WINDOWS\System32\Ikv.exe
O4 - HKLM\..\Run: [Mai] C:\WINDOWS\System32\Bkd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Aida] C:\WINDOWS\System32\eetu.exe
O4 - HKCU\..\Run: [Yewsvfwp] C:\WINDOWS\System32\?canregw.exe
O4 - HKCU\..\Run: [Ejl] C:\WINDOWS\Ajj.exe
O4 - HKCU\..\Run: [d00qRgK8e] kdcnls.exe
O4 - HKCU\..\Run: [Aen] C:\WINDOWS\Iag.exe
O4 - HKCU\..\Run: [Dlq] C:\WINDOWS\Ves.exe
O4 - HKCU\..\Run: [Gef] C:\WINDOWS\Eri.exe
O4 - HKCU\..\Run: [Cen] C:\WINDOWS\System32\Keg.exe
O4 - HKCU\..\Run: [Qeh] C:\WINDOWS\System32\Fam.exe
O4 - HKCU\..\Run: [Ggk] C:\WINDOWS\System32\Qgq.exe
O4 - HKCU\..\Run: [Qnl] C:\WINDOWS\System32\Nns.exe
O4 - HKCU\..\Run: [Pdq] C:\WINDOWS\Vsh.exe
O4 - HKCU\..\Run: [Hma] C:\WINDOWS\System32\Tou.exe
O4 - HKCU\..\Run: [Nsd] C:\WINDOWS\Vdf.exe
O4 - HKCU\..\Run: [Sdm] C:\WINDOWS\Nfo.exe
O4 - HKCU\..\Run: [Ihn] C:\WINDOWS\Ipp.exe
O4 - HKCU\..\Run: [Ult] C:\WINDOWS\System32\Ucb.exe
O4 - HKCU\..\Run: [Tms] C:\WINDOWS\Nsb.exe
O4 - HKCU\..\Run: [Cla] C:\WINDOWS\System32\Fhj.exe
O4 - HKCU\..\Run: [Ess] C:\WINDOWS\Btn.exe
O4 - HKCU\..\Run: [Qal] C:\WINDOWS\System32\Icc.exe
O4 - HKCU\..\Run: [Sup] C:\WINDOWS\System32\Prt.exe
O4 - HKCU\..\Run: [Drm] C:\WINDOWS\Ruj.exe
O4 - HKCU\..\Run: [Nvi] C:\WINDOWS\Lsc.exe
O4 - HKCU\..\Run: [Ngj] C:\WINDOWS\Npc.exe
O4 - HKCU\..\Run: [Oqm] C:\WINDOWS\System32\Ibi.exe
O4 - HKCU\..\Run: [Hbe] C:\WINDOWS\System32\Dvp.exe
O4 - HKCU\..\Run: [Jkh] C:\WINDOWS\System32\Jrk.exe
O4 - HKCU\..\Run: [Ova] C:\WINDOWS\System32\Rbk.exe
O4 - HKCU\..\Run: [Drl] C:\WINDOWS\Vod.exe
O4 - HKCU\..\Run: [Udb] C:\WINDOWS\System32\Kpt.exe
O4 - HKCU\..\Run: [Bld] C:\WINDOWS\System32\Fgg.exe
O4 - HKCU\..\Run: [Fbq] C:\WINDOWS\Ujn.exe
O4 - HKCU\..\Run: [Tjs] C:\WINDOWS\System32\Hak.exe
O4 - HKCU\..\Run: [Bas] C:\WINDOWS\System32\Kqu.exe
O4 - HKCU\..\Run: [Hdr] C:\WINDOWS\System32\Amq.exe
O4 - HKCU\..\Run: [Pho] C:\WINDOWS\Cqt.exe
O4 - HKCU\..\Run: [Fvu] C:\WINDOWS\System32\Vgg.exe
O4 - HKCU\..\Run: [Cbb] C:\WINDOWS\Eaa.exe
O4 - HKCU\..\Run: [Fuq] C:\WINDOWS\System32\Mct.exe
O4 - HKCU\..\Run: [Rmr] C:\WINDOWS\System32\Mrh.exe
O4 - HKCU\..\Run: [Ddq] C:\WINDOWS\System32\Qtp.exe
O4 - HKCU\..\Run: [Mcp] C:\WINDOWS\System32\Tdr.exe
O4 - HKCU\..\Run: [Pjl] C:\WINDOWS\Sfh.exe
O4 - HKCU\..\Run: [Kti] C:\WINDOWS\System32\Koc.exe
O4 - HKCU\..\Run: [Vcq] C:\WINDOWS\Gsi.exe
O4 - HKCU\..\Run: [Cld] C:\WINDOWS\System32\Mmb.exe
O4 - HKCU\..\Run: [Lpc] C:\WINDOWS\System32\Mmd.exe
O4 - HKCU\..\Run: [Ett] C:\WINDOWS\System32\Ikv.exe
O4 - HKCU\..\Run: [Mai] C:\WINDOWS\System32\Bkd.exe

O9 - Extra button: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BDEE097-DBAB-4F24-BD3B-293370D21BCF} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CA07C74F-1788-45C2-8323-678635629972} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA07C74F-1788-45C2-8323-678635629972} - (no file) (HKCU)

O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: 64.62.171.156 (HKLM)

O21 - SSODL: NTDBGTOOL - {F4CCA6DF-48F8-49AB-8701-2511440E6898} - C:\WINDOWS\System32\sbeitdde.dll

O23 - Service: Windows update Service (updater) - Unknown owner - C:\WINDOWS\System32\winsvc.exe

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HJT.


Find on your desktop and double-click on the delfiles.bat file.


After it finishes, reboot normally and post a new HJT log. Let me know if your ability to right-click returns.

Edited by ddeerrff, 08 April 2005 - 09:16 AM.

Derfram
~~~~~~

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:09 PM

Posted 22 April 2005 - 03:55 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users