Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups, Startup item, viruses


  • Please log in to reply
24 replies to this topic

#1 jupiter

jupiter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 13 May 2005 - 05:53 PM

Hello. I seem to have a variety of problems and I'm stumped as to what to do about them. First, I have 5 viruses and a hacktool that Norton AV 2005 detects but can't seem to do anything with. They are:

Trojan.Dropper in the compressed file gamma.exe located in C:\MSDOS.EXE
IRC Trojan in the compressed file ght.dll also located in C:\MSDOS.EXE
IRC Trojan in the compressed file kaspar.idiet.cab also located in
C:\MSDOS.EXE
IRC Trojan in the compressed file nocx.ocx also located in C:\MSDOS.EXE
Backdoor.IRC.Flood in the file prx.exe within C:\MSDOS.EXE
Hacktool threat in the file calc32.exe within C:\MSDOS.EXE

I tried following Symantecs instructions on removal but it didn't work. Maybe I did something wrong but I tried to do what they suggested.

Then I keep getting bombarded with a Startup Item that my Spy Sweeper keeps catching called "Online Start". This comes up constantly.

Next it seems that everytime I click on something to get a new window (regardless of the Internet site), I get hit with a pop-up. I have Pop-up Hitman, and MS SP2 which, I thought has a pop-up killer, but they seem to have been quieted down in their protection activities. Don't know if this is related to the stuff Norton AV found.

Additionally, when I reboot or restart, I get a window that tells me:
"ccRegVfy.exe - Unable to locate. This application failed to start because
SYMSTORE.dll was not found."

Now that's a list of stuff. I've run my HJT and don't see anything suspicious there, but I'm not the expert you guys are. I've run Adaware and SpyBot and they don't show anything either. So I thought I'd better talk to you before anything serious happens. If it helps, my latest HJT log is posted below. Thanks for looking at this.

Logfile of HijackThis v1.99.0
Scan saved at 6:06:52 PM, on 5/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscombroadband.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscombroadband.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUp Hitman] C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: PopUp Hitman.lnk = C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 PM

Posted 14 May 2005 - 10:58 AM

You will rpobably have to reinstall symantec antivirus to fix that error on startup.

Also boot into safe mode and see if you can delete c:\msdos.exe

Then come back and do the following:

Download http://www.bleepingcomputer.com/files/grinler/pfind-new.zip

Extract pfind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.

#3 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 17 May 2005 - 08:12 PM

OK. I did what you suggested. I uninstalled and reinstalled Norton AV 2005 and updated it. I'm still getting the startup error not being able to locate "SYMSTORE.DLL". I downloaded pfind-new.zip and executed that. While in Safe Mode, I deleted C:\MDOS.EXE. I then ran pfind.bat. It ran for about 3 hours and kept giving me readouts that said I was out of available space (although I should not be out of space.) I don't know if I missed something but it asked me if I wanted to create the file pfind.txt so I clicked "yes". However, when it was all done, that file was empty. Should I run it again? or, did I do something wrong? Anyway, so far nothing else has changed. Still keep getting that Online Startup program picked up by Spy Sweeper and I'm still getting popups. I assume that I got rid of the viruses by deleting the mdos.exe program, but I'm not sure what they were doing in the first place. If I don't hear from you before I go to bed tonite, I'll run pfind.bat again and see if I can get something in the txt file for you for tomorrow. Thanks.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 PM

Posted 18 May 2005 - 09:35 PM

There was a problem with the file. Delete the pfind directory and redownload it as I corrected the problem.

Also when you have a chance (link is not working now) check out this link on how to fully uninstall Norton AV 2005. Follow the inustrctions there as well as running their uninstall tool ad then try to reinstall.

http://service1.symantec.com/SUPPORT/nav.n...nav&svy=&csm=no

#5 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 20 May 2005 - 08:28 AM

I ran the pfind.bat program again last night and this time I got a text file on the results. The contents of that file is as follows:

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\flashax.exe: .aspack
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\eFaxview.exe: .aspack
C:\WINDOWS\ssk.exe: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\appsys.exe: .aspack
C:\WINDOWS\SYSTEM32\pav.sig: .aspack
C:\WINDOWS\SYSTEM32\pav.sig: :.aspackze
C:\WINDOWS\SYSTEM32\pav.sig: .aspack.text
C:\WINDOWS\SYSTEM32\pav.sig: H.aspack.text
C:\WINDOWS\SYSTEM32\pav.sig: .aspack.text
C:\WINDOWS\SYSTEM32\pav.sig: 4.aspack
C:\WINDOWS\SYSTEM32\pav.sig: F<SW.aspack
C:\WINDOWS\SYSTEM32\pav.sig: [.aspack
C:\WINDOWS\SYSTEM32\pav.sig: UPX!
C:\WINDOWS\SYSTEM32\pav.sig: .aspack0
C:\WINDOWS\SYSTEM32\pav.sig: .aspack
C:\WINDOWS\SYSTEM32\pav.sig: .aspack
C:\WINDOWS\SYSTEM32\pav.sig: H@.aspack.text
C:\WINDOWS\SYSTEM32\pav.sig: SAHAgent
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\eFaxview.exe: .aspack


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Administrator.MYCOMPUTER\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Administrator.MYCOMPUTER\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Thu May 19 2005 10:32:32p A.S.. 2,048 2.00 K
qtfont.qfn Mon May 16 2005 11:00:32p A..H. 54,156 52.89 K
ndnuni~1.exe Fri Mar 25 2005 3:09:54p A.S.. 50,688 49.50 K

C:\WINDOWS\TASKS\
sa.dat Thu May 19 2005 10:31:08p A..H. 6 0.00 K
afea84~1.job Thu May 19 2005 10:00:02p A..H. 296 0.29 K

C:\WINDOWS\SYSTEM32\CONFIG\
system.log Thu May 19 2005 10:31:26p A..H. 966,656 944.00 K
software.log Thu May 19 2005 10:31:26p A..H. 86,016 84.00 K
default.log Thu May 19 2005 10:31:26p A..H. 8,192 8.00 K
sam.log Thu May 19 2005 10:32:44p A..H. 1,024 1.00 K
security.log Thu May 19 2005 10:32:34p A..H. 12,288 12.00 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Thu May 12 2005 3:01:00a A..H. 1,024 1.00 K

C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\
kb8938~1.cat Mon Mar 21 2005 3:00:24p ..S.. 29,491 28.80 K
kb8938~2.cat Wed May 4 2005 2:45:46p ..S.. 29,493 28.80 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1,241,378 bytes 1.18 M



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinFaxAppPortStarter REG_SZ wfxsnt40.exe
SystemTray REG_SZ SysTray.Exe
PopUp Hitman REG_SZ C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
POINTER REG_SZ point32.exe
hpppta REG_SZ C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
ccRegVfy REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
EPSON Stylus Photo R300 Series REG_SZ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
mswspl REG_SZ
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
RoxioDragToDisc REG_SZ "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
RemoteControl REG_SZ "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor REG_SZ C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx




! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
StartMS REG_SZ "C:\Program Files\Creative\Shared Files\Media Sniffer\StartMS.exe" /s
CMSRegOW.exe REG_SZ "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r
Inetreg REG_SZ C:\Program Files\InstallShield Installation Information\{E2D27B84-6365-11D6-9BAF-0090271AF8A4}\Setup.exe /i_again -s




! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell REG_SZ Explorer.exe



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ APITRAP.DLL

Hope this is helpful. I haven't reinstalled NortonAV yet. I'll probably do that this afternoon. I'll keep you posted on the results. Thanks again for your help.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 PM

Posted 20 May 2005 - 11:54 AM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\flashax.exe
C:\WINDOWS\ssk.exe
C:\WINDOWS\SYSTEM32\appsys.exe
C:\WINDOWS\SYSTEM32\eFaxview.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.
Submit this .cab file at http://www.bleepingcomputer.com/

#7 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 20 May 2005 - 03:47 PM

Hey, Grinler. Just letting you know I submitted the .cab file you requested. I'm carrying on with the rest of your instructions now. Will let you know when I'm done. Thanks, again.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 PM

Posted 20 May 2005 - 03:58 PM

Ignore those instructions :thumbsup: THey were meant for another user. Gonna go check your submitted files now.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 PM

Posted 20 May 2005 - 04:09 PM

Go into add/remove programs in your control anduninstall surfsidekick 2 if its there.

Then reboot into safe mode and delete the following files:

C:\WINDOWS\flashax.exe
C:\WINDOWS\ssk.exe
C:\WINDOWS\SYSTEM32\appsys.exe

Reboot and tell me if your better and post a new hijackthis log along with a log from this:

Please follow these steps in order to clean your computer of Malware which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers.

Step 1:
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot

Ad-aware

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.


When you scan with both programs, fix everything that it finds.

When you are done with the scan and fixing the items. Please continue with the next step.

Step 2:

It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#10 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 20 May 2005 - 05:12 PM

Wow!! You gave me a bit of a scare there with all those HJT entries to delete and the files in the F:\ drive. I thought I'd really screwed something up. Once I thought about it, I suspected that may be intended for another user. Glad it was. Anyway, back to my problems. Still getting pop-ups. Not much change that I can see yet, but I'll have to wait to see if that "Online start" thing comes up again in Spy Sweeper. Meanwhile, I did delete the 3 files you suggested. I will run Spybot and Adaware again. When they're done, I'll let you know the results. Thanks, again.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 PM

Posted 20 May 2005 - 05:58 PM

Also do this:
1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the mark all button.

6. Press the OK button.

7. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

8. Post a copy of the log as a reply to this post.

#12 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 21 May 2005 - 07:59 PM

I followed your additional instructions using startdreck.exe. The log is below. Hope it's helpful.


StartDreck (build 2.1.7 public stable) - 2005-05-21 @ 20:50:47 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Preferred Customer at MYCOMPUTER

»Registry
»Run Keys
»Current User
»Run
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
*OnlineStart=C:\DOCUME~1\PREFER~1\APPLIC~1\COALME~1\heartwait.exe
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*WinFaxAppPortStarter=wfxsnt40.exe
*SystemTray=SysTray.Exe
*PopUp Hitman=C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
*POINTER=point32.exe
*hpppta=C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*EPSON Stylus Photo R300 Series=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
*mswspl=
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*RoxioDragToDisc="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
*RemoteControl="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" %1
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
+Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06}
*StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
»Browser Helper Objects (LM)
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Bar=
*Search Page=
*Start Page=http://www.suscombroadband.com
+SearchUrl
*Provider=
»Default User
*Default_Page_URL=http://www.search-center.com
*Default_Search_URL=http://search-center.com/search
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.suscombroadband.com/
*Window Title=Microsoft Internet Explorer provided by @Home
*CustomizeSearch=http://www.childpaysite.com
*SearchAssistant=http://www.childpaysite.com
+SearchUrl
*Provider=EXCI
»Local Machine
*Default_Page_URL=
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.suscombroadband.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
*=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=APITRAP.DLL
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Preferred Customer\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PopUp Hitman.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton System Doctor.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Controller.LNK
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout = 30
`default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
*C:\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=1
`BootGUI=1
`DoubleBuffer=1
`AutoScan=1
`WinVer=4.10.2222
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
*C:\config.sys
`DEVICE=C:\WINDOWS\HIMEM.SYS
`DEVICE=C:\WINDOWS\EMM386.EXE
*C:\WINDOWS\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[rename]
`C:\WINDOWS\System32\windec32.dll=C:\DOCUME~1\PREFER~1\LOCALS~1\Temp\WIN66.tmp
`NUL= ī|8‘|’’’’2‘|« ‘|ė ‘|
*C:\WINDOWS\wininit.bak
`[Rename]
`NUL=C:\WINDOWS\TEMP\WINNT32.EXE
`C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\SETE353.TMP
`NUL=C:\WINDOWS\SYSTEM\URLMON.DLL
`C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\SETE360.TMP
`NUL=C:\WINDOWS\SYSTEM\MSHTML.DLL
`C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\SETE362.TMP
`C:\WINDOWS\SYSTEM\jscript.dll=C:\WINDOWS\SYSTEM\jscript.001
*C:\WINDOWS\dosstart.bat
`C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
`C:\PROGRA~1\MOUSEW~1\MOUSE.EXE
*C:\WINDOWS\system32\drivers\etc\hosts
`127.0.0.1 localhost
`127.0.0.1 www.doubleclick.net
`127.0.0.1 ad.preferances.com
`127.0.0.1 ad.doubleclick.com
`127.0.0.1 ads.web.aol.com
`127.0.0.1 ad.doubleclick.net
`127.0.0.1 ad.preferences.com
`127.0.0.1 ad.washingtonpost.com
`127.0.0.1 adpick.switchboard.com
`127.0.0.1 ads.doubleclick.com
`127.0.0.1 ads.infospace.com
`127.0.0.1 ads.msn.com
`127.0.0.1 ads.switchboard.com
`127.0.0.1 ads.enliven.com
`127.0.0.1 oz.valueclick.com
`127.0.0.1 doubleclick.net
`127.0.0.1 ads.doubleclick.net
`127.0.0.1 ad2.doubleclick.net
`127.0.0.1 ad3.doubleclick.net
`127.0.0.1 ad4.doubleclick.net
`127.0.0.1 ad5.doubleclick.net
`127.0.0.1 ad6.doubleclick.net
`127.0.0.1 ad7.doubleclick.net
`127.0.0.1 ad8.doubleclick.net
`127.0.0.1 ad9.doubleclick.net
`127.0.0.1 ad10.doubleclick.net
`127.0.0.1 ad11.doubleclick.net
`127.0.0.1 ad12.doubleclick.net
`127.0.0.1 ad13.doubleclick.net
`127.0.0.1 ad14.doubleclick.net
`127.0.0.1 ad15.doubleclick.net
`127.0.0.1 ad16.doubleclick.net
`127.0.0.1 ad17.doubleclick.net
`127.0.0.1 ad18.doubleclick.net
`127.0.0.1 ad19.doubleclick.net
`127.0.0.1 ad20.doubleclick.net
`127.0.0.1 ad.ch.doubleclick.net
`127.0.0.1 ad.linkexchange.com
`127.0.0.1 banner.linkexchange.com
`127.0.0.1 ads*.focalink.com
`127.0.0.1 ads.imdb.com
`127.0.0.1 commonwealth.riddler.com
`127.0.0.1 globaltrak.net
`127.0.0.1 nrsite.com
`127.0.0.1 www.nrsite.com
`127.0.0.1 ad-up.com
`127.0.0.1 ad.adsmart.net
`127.0.0.1 ad.atlas.cz
`127.0.0.1 ad.blm.net
`127.0.0.1 ad.dogpile.com
`127.0.0.1 ad.infoseek.com
`127.0.0.1 ad.net-service.de
`127.0.0.1 ad.preferences.com
`127.0.0.1 ad.vol.at
`127.0.0.1 adbot.com
`127.0.0.1 adbureau.net
`127.0.0.1 adcount.hollywood.com
`127.0.0.1 add.yaho.com
`127.0.0.1 adex3.flycast.com
`127.0.0.1 adforce.adtech.de
`127.0.0.1 adforce.imgis.com
`127.0.0.1 adimage.blm.net
`127.0.0.1 adlink.deh.de
`127.0.0.1 ads.criticalmass.com
`127.0.0.1 ads.csi.emcweb.com
`127.0.0.1 ads.filez.com
`127.0.0.1 ads.imagine-inc.com
`127.0.0.1 ads.imdb.com
`127.0.0.1 ads.infospace.com
`127.0.0.1 ads.jwtt3.com
`127.0.0.1 ads.mirrormedia.co.uk
`127.0.0.1 ads.msn.com
`127.0.0.1 ads.narrowline.com
`127.0.0.1 ads.newcitynet.com
`127.0.0.1 ads.realcities.com
`127.0.0.1 ads.realmedia.com
`127.0.0.1 ads.switchboard.com
`127.0.0.1 ads.tripod.com
`127.0.0.1 ads.usatoday.com
`127.0.0.1 ads.washingtonpost.com
`127.0.0.1 ads.web.de
`127.0.0.1 ads.web21.com
`127.0.0.1 adserv.newcentury.net
`127.0.0.1 adservant.guj.de
`127.0.0.1 adservant.mediapoint.de
`127.0.0.1 adserver-espnet.sportszone.com
`127.0.0.1 advert.heise.de
`127.0.0.1 banners.internetextra.com
`127.0.0.1 bannerswap.com
`127.0.0.1 dino.mainz.ibm.de
`127.0.0.1 ganges.imagine-inc.com
`127.0.0.1 globaltrack.com
`127.0.0.1 207-87-18-203.wsmg.digex.net
`127.0.0.1 garden.ngadcenter.net
`127.0.0.1 ogilvy.ngadcenter.net
`127.0.0.1 responsemedia-ad.flycast.com
`127.0.0.1 suissa-ad.flycast.com
`127.0.0.1 ugo.eu-adcenter.net
`127.0.0.1 vnu.eu-adcenter.net
`127.0.0.1 ad-adex3.flycast.com
`127.0.0.1 ad.adsmart.net
`127.0.0.1 ad.ca.doubleclick.net
`127.0.0.1 ad.de.doubleclick.net
`127.0.0.1 ad.fr.doubleclick.net
`127.0.0.1 ad.jp.doubleclick.net
`127.0.0.1 ad.linkexchange.com
`127.0.0.1 ad.linksynergy.com
`127.0.0.1 ad.nl.doubleclick.net
`127.0.0.1 ad.no.doubleclick.net
`127.0.0.1 ad.sma.punto.net
`127.0.0.1 ad.uk.doubleclick.net
`127.0.0.1 ad.webprovider.com
`127.0.0.1 ad08.focalink.com
`127.0.0.1 adcontroller.unicast.com
`127.0.0.1 adcreatives.imaginemedia.com
`127.0.0.1 adforce.ads.imgis.com
`127.0.0.1 adforce.imgis.com
`127.0.0.1 adfu.blockstackers.com
`127.0.0.1 adimages.earthweb.com
`127.0.0.1 adimg.egroups.com
`127.0.0.1 admedia.xoom.com
`127.0.0.1 adremote.pathfinder.com
`127.0.0.1 ads.admaximize.com
`127.0.0.1 ads.bfast.com
`127.0.0.1 ads.clickhouse.com
`127.0.0.1 ads.fairfax.com.au
`127.0.0.1 ads.fool.com
`127.0.0.1 ads.freshmeat.net
`127.0.0.1 ads.hollywood.com
`127.0.0.1 ads.i33.com
`127.0.0.1 ads.infi.net
`127.0.0.1 ads.link4ads.com
`127.0.0.1 ads.lycos.com
`127.0.0.1 ads.madison.com
`127.0.0.1 ads.mediaodyssey.com
`127.0.0.1 ads.msn.com
`127.0.0.1 ads.ninemsn.com.au
`127.0.0.1 ads.seattletimes.com
`127.0.0.1 ads.smartclicks.com
`127.0.0.1 ads.smartclicks.net
`127.0.0.1 ads.sptimes.com
`127.0.0.1 ads.web.aol.com
`127.0.0.1 ads.x10.com
`127.0.0.1 ads.xtra.co.nz
`127.0.0.1 ads.zdnet.com
`127.0.0.1 ads01.focalink.com
`127.0.0.1 ads02.focalink.com
`127.0.0.1 ads03.focalink.com
`127.0.0.1 ads04.focalink.com
`127.0.0.1 ads05.focalink.com
`127.0.0.1 ads06.focalink.com
`127.0.0.1 ads08.focalink.com
`127.0.0.1 ads09.focalink.com
`127.0.0.1 ads1.activeagent.at
`127.0.0.1 ads10.focalink.com
`127.0.0.1 ads11.focalink.com
`127.0.0.1 ads12.focalink.com
`127.0.0.1 ads14.focalink.com
`127.0.0.1 ads16.focalink.com
`127.0.0.1 ads17.focalink.com
`127.0.0.1 ads18.focalink.com
`127.0.0.1 ads19.focalink.com
`127.0.0.1 ads2.zdnet.com
`127.0.0.1 ads20.focalink.com
`127.0.0.1 ads21.focalink.com
`127.0.0.1 ads22.focalink.com
`127.0.0.1 ads23.focalink.com
`127.0.0.1 ads24.focalink.com
`127.0.0.1 ads25.focalink.com
`127.0.0.1 ads3.zdnet.com
`127.0.0.1 ads5.gamecity.net
`127.0.0.1 adserv.iafrica.com
`127.0.0.1 adserv.quality-channel.de
`127.0.0.1 adserver.dbusiness.com
`127.0.0.1 adserver.garden.com
`127.0.0.1 adserver.janes.com
`127.0.0.1 adserver.merc.com
`127.0.0.1 adserver.monster.com
`127.0.0.1 adserver.track-star.com
`127.0.0.1 adserver1.ogilvy-interactive.de
`127.0.0.1 adtegrity.spinbox.net
`127.0.0.1 antfarm-ad.flycast.com
`127.0.0.1 au.ads.link4ads.com
`127.0.0.1 banner.media-system.de
`127.0.0.1 banner.orb.net
`127.0.0.1 banner.relcom.ru
`127.0.0.1 banners.easydns.com
`127.0.0.1 banners.looksmart.com
`127.0.0.1 banners.wunderground.com
`127.0.0.1 barnesandnoble.bfast.com
`127.0.0.1 beseenad.looksmart.com
`127.0.0.1 bizad.nikkeibp.co.jp
`127.0.0.1 bn.bfast.com
`127.0.0.1 c3.xxxcounter.com
`127.0.0.1 califia.imaginemedia.com
`127.0.0.1 cds.mediaplex.com
`127.0.0.1 click.avenuea.com
`127.0.0.1 click.go2net.com
`127.0.0.1 click.linksynergy.com
`127.0.0.1 cookies.cmpnet.com
`127.0.0.1 cornflakes.pathfinder.com
`127.0.0.1 counter.hitbox.com
`127.0.0.1 crux.songline.com
`127.0.0.1 erie.smartage.com
`127.0.0.1 etad.telegraph.co.uk
`127.0.0.1 fp.valueclick.com
`127.0.0.1 gadgeteer.pdamart.com
`127.0.0.1 gm.preferences.com
`127.0.0.1 gp.dejanews.com
`127.0.0.1 hg1.hitbox.com
`127.0.0.1 image.click2net.com
`127.0.0.1 image.eimg.com
`127.0.0.1 images2.nytimes.com
`127.0.0.1 jobkeys.ngadcenter.net
`127.0.0.1 kansas.valueclick.com
`127.0.0.1 leader.linkexchange.com
`127.0.0.1 liquidad.narrowcastmedia.com
`127.0.0.1 ln.doubleclick.net
`127.0.0.1 m.doubleclick.net
`127.0.0.1 macaddictads.snv.futurenet.com
`127.0.0.1 maximumpcads.imaginemedia.com
`127.0.0.1 media.preferences.com
`127.0.0.1 mercury.rmuk.co.uk
`127.0.0.1 mojofarm.sjc.mediaplex.com
`127.0.0.1 nbc.adbureau.net
`127.0.0.1 newads.cmpnet.com
`127.0.0.1 ng3.ads.warnerbros.com
`127.0.0.1 ngads.smartage.com
`127.0.0.1 nsads.hotwired.com
`127.0.0.1 ntbanner.digitalriver.com
`127.0.0.1 ph-ad05.focalink.com
`127.0.0.1 ph-ad07.focalink.com
`127.0.0.1 ph-ad16.focalink.com
`127.0.0.1 ph-ad17.focalink.com
`127.0.0.1 ph-ad18.focalink.com
`127.0.0.1 realads.realmedia.com
`127.0.0.1 redherring.ngadcenter.net
`127.0.0.1 redirect.click2net.com
`127.0.0.1 retaildirect.realmedia.com
`127.0.0.1 s2.focalink.com
`127.0.0.1 sh4sure-images.adbureau.net
`127.0.0.1 spin.spinbox.net
`127.0.0.1 static.admaximize.com
`127.0.0.1 stats.superstats.com
`127.0.0.1 sview.avenuea.com
`127.0.0.1 thinknyc.eu-adcenter.net
`127.0.0.1 tracker.clicktrade.com
`127.0.0.1 tsms-ad.tsms.com
`127.0.0.1 v0.extreme-dm.com
`127.0.0.1 v1.extreme-dm.com
`127.0.0.1 van.ads.link4ads.com
`127.0.0.1 view.accendo.com
`127.0.0.1 view.avenuea.com
`127.0.0.1 w113.hitbox.com
`127.0.0.1 w25.hitbox.com
`127.0.0.1 web2.deja.com
`127.0.0.1 webads.bizservers.com
`127.0.0.1 www.postmasterbannernet.com
`127.0.0.1 www.ad-up.com
`127.0.0.1 www.admex.com
`127.0.0.1 www.alladvantage.com
`127.0.0.1 www.burstnet.com
`127.0.0.1 www.commission-junction.com
`127.0.0.1 www.eads.com
`127.0.0.1 www.freestats.com
`127.0.0.1 www.imaginemedia.com
`127.0.0.1 www.netdirect.nl
`127.0.0.1 www.oneandonlynetwork.com
`127.0.0.1 www.targetshop.com
`127.0.0.1 www.teknosurf2.com
`127.0.0.1 www.teknosurf3.com
`127.0.0.1 www.valueclick.com
`127.0.0.1 www.websitefinancing.com
`127.0.0.1 www2.burstnet.com
`127.0.0.1 www4.trix.net
`127.0.0.1 www80.valueclick.com
`127.0.0.1 z.extreme-dm.com
`127.0.0.1 z0.extreme-dm.com
`127.0.0.1 z1.extreme-dm.com
`127.0.0.1 ads.forbes.net
`127.0.0.1 ads.newcity.com
`127.0.0.1 ads.ign.com
`127.0.0.1 adserver.ign.com
`127.0.0.1 ads.scifi.com
`127.0.0.1 adengine.theglobe.com
`127.0.0.1 ads.tucows.com
`127.0.0.1 adcontent.gamespy.com
`127.0.0.1 ads4.advance.net
`127.0.0.1 ads1.advance.net
`127.0.0.1 eur.yimg.com
`127.0.0.1 us.a1.yimg.com
`127.0.0.1 ad.harmony-central.com
`127.0.0.1 sg.yimg.com
`127.0.0.1 adverity.adverity.com
`127.0.0.1 ads.bloomberg.com
`127.0.0.1 mojofarm.mediaplex.com
`127.0.0.1 ads.mysimon.com
`127.0.0.1 ad.img.yahoo.co.kr
`127.0.0.1 adimages.go.com
`127.0.0.1 kr-adimage.lycos.co.kr
`127.0.0.1 ad.kimo.com.tw
`127.0.0.1 ads.paxnet.co.kr
`127.0.0.1 ads.paxnet.com
`127.0.0.1 ads.eu.msn.com
`127.0.0.1 ads.admonitor.net
`127.0.0.1 wwa.hitbox.com
`127.0.0.1 ads.nytimes.com
`127.0.0.1 ads.erotism.com
`127.0.0.1 banner.rootsweb.com
`127.0.0.1 ads.ole.com
`127.0.0.1 adimg1.chosun.com
`127.0.0.1 ss.mtree.com
`127.0.0.1 adpulse.ads.targetnet.com
`127.0.0.1 adserver.ugo.com
`127.0.0.1 ad.sales.olympics.com
`127.0.0.1 m2.doubleclick.net
`127.0.0.1 ph-ad21.focalink.com
`127.0.0.1 focusin.ads.targetnet.com
`127.0.0.1 www.datais.com
`127.0.0.1 oas.mmd.ch
`127.0.0.1 pub-g.ifrance.com
`127.0.0.1 ads.bianca.com
`127.0.0.1 wap.adlink.de
`127.0.0.1 click.adlink.de
`127.0.0.1 banner.adlink.de
`127.0.0.1 hurricane.adlink.de
`127.0.0.1 west.adlink.de
`127.0.0.1 scand.adlink.de
`127.0.0.1 regio.adlink.de
`127.0.0.1 direct.adlink.de
`127.0.0.1 classic.adlink.de
`127.0.0.1 adlui001.adlink.de
`127.0.0.1 banner1.adlink.de
`127.0.0.1 click.mp3.com
`127.0.0.1 adcodes.bla-bla.com
`127.0.0.1 icover.realmedia.com
`127.0.0.1 ca.fp.sandpiper.net
`127.0.0.1 adfarm.mediaplex.com
`127.0.0.1 ads.tmcs.net
`127.0.0.1 amedia.techies.com
`127.0.0.1 www.exchange-it.com
`127.0.0.1 www.ad.tomshardware.com
`127.0.0.1 ad.tomshardware.com
`127.0.0.1 ads.currantbun.com
`127.0.0.1 phoenix-adrunner.mycomputer.com
`127.0.0.1 ads15.focalink.com
`127.0.0.1 ads13.focalink.com
`127.0.0.1 adserver.colleges.com
`127.0.0.1 ads.nwsource.com
`127.0.0.1 ads.guardianunlimited.co.uk
`127.0.0.1 ads.newsint.co.uk
`127.0.0.1 ads.starnews.com
`127.0.0.1 www.linksynergy.com
`127.0.0.1 ieee-images.adbureau.net
`127.0.0.1 connect.247media.ads.link4ads.com
`127.0.0.1 ads.newsdigital.net
`127.0.0.1 arc5.msn.com
`127.0.0.1 arc4.msn.com
`127.0.0.1 arc3.msn.com
`127.0.0.1 arc2.msn.com
`127.0.0.1 arc1.msn.com
`127.0.0.1 ads.discovery.com
`127.0.0.1 im.800.com
`127.0.0.1 img.cmpnet.com
`127.0.0.1 ad7.internetadserver.com
`127.0.0.1 ads.dai.net
`127.0.0.1 ads.cbc.ca
`127.0.0.1 www75.valueclick.com
`127.0.0.1 ads.clearbluemedia.com
`127.0.0.1 ti.click2net.com
`127.0.0.1 www.onresponse.com
`127.0.0.1 ads.list-universe.com
`127.0.0.1 advert.bayarea.com
`127.0.0.1 www3.pagecount.com
`127.0.0.1 www.netsponsors.com
`127.0.0.1 adthru.com
`127.0.0.1 ads.newtimes.com
`127.0.0.1 ads.ugo.com
`127.0.0.1 ads.belointeractive.com
`127.0.0.1 wwb.hitbox.com
`127.0.0.1 comtrack.comclick.com
`127.0.0.1 www.24pm-affiliation.com
`127.0.0.1 www.click-fr.com
`127.0.0.1 www.cibleclick.com
`127.0.0.1 reply.mediatris.net
`127.0.0.1 cgi.declicnet.com
`127.0.0.1 pubs.mgn.net
`127.0.0.1 ads.mcafee.com
`127.0.0.1 ads1.ad-flow.com
`127.0.0.1 ad.be.doubleclick.net
`127.0.0.1 ad.adtraq.com
`127.0.0.1 ad.sg.doubleclick.net
`127.0.0.1 adpop.theglobe.com
`127.0.0.1 ads-03.tor.focusin.ads.targetnet.com
`127.0.0.1 ads.adflight.com
`127.0.0.1 ads.detelefoongids.nl
`127.0.0.1 ads.ecircles.com
`127.0.0.1 ads.god.co.uk
`127.0.0.1 ads.hyperbanner.net
`127.0.0.1 ads.jpost.com
`127.0.0.1 ads.netmechanic.com
`127.0.0.1 ads.webcash.nl
`127.0.0.1 adserver.netcast.nl
`127.0.0.1 adserver.webads.com
`127.0.0.1 adserver.webads.nl
`127.0.0.1 adserver1.realtracker.com
`127.0.0.1 adserver2.realtracker.com
`127.0.0.1 adserver3.realtracker.com
`127.0.0.1 delivery1.ads.telegraaf.nl
`127.0.0.1 holland.hyperbanner.net
`127.0.0.1 images.webads.nl
`127.0.0.1 sc.clicksupply.com
`127.0.0.1 service.bfast.com
`127.0.0.1 www.ad4ex.com
`127.0.0.1 www.bannercampaign.com
`127.0.0.1 www.cyberbounty.com
`127.0.0.1 www.netvertising.be
`127.0.0.1 www.speedyclick.com
`127.0.0.1 www.webads.nl
`127.0.0.1 ads.snowball.com
`127.0.0.1 ads.amazingmedia.com
`127.0.0.1 www10.valueclick.com
`127.0.0.1 js1.hitbox.com
`127.0.0.1 rd1.hitbox.com
`127.0.0.1 mt37.mtree.com
`127.0.0.1 ads.gameanswers.com
`127.0.0.1 ads7.udc.advance.net
`127.0.0.1 www23.valueclick.com
`127.0.0.1 ads.fortunecity.com
`127.0.0.1 banners.nextcard.com
`127.0.0.1 ads.iwon.com
`127.0.0.1 www.qksrv.net
`127.0.0.1 clickserve.cc-dt.com
`127.0.0.1 ads-b.focalink.com
`127.0.0.1 ad2.peel.com
`127.0.0.1 ads.floridatoday.com
`127.0.0.1 stats.adultrevenueservice.com
`127.0.0.1 ads18.bpath.com
`127.0.0.1 ph-ad06.focalink.com
`127.0.0.1 global.msads.net
`127.0.0.1 pluto1.iserver.net
`127.0.0.1 ads1.intelliads.com
`127.0.0.1 primetime.ad.asap-asp.net
`127.0.0.1 ads.stileproject.com
`127.0.0.1 di.image.eshop.msn.com
`127.0.0.1 www.blissnet.net
`127.0.0.1 www.consumerinfo.com
`127.0.0.1 ads.rottentomatoes.com
`127.0.0.1 k5ads.osdn.com
`127.0.0.1 actionsplash.com
`127.0.0.1 campaigns.f2.com.au
`127.0.0.1 adserver.news.com.au
`127.0.0.1 servedby.advertising.com
`127.0.0.1 java.yahoo.com
`127.0.0.1 ad.howstuffworks.com
`127.0.0.1 ads.1for1.com
`127.0.0.1 images.ads.fairfax.com.au
`127.0.0.1 ads.devx.com
`127.0.0.1 utils.mediageneral.com
`127.0.0.1 banners.friendfinder.com
`127.0.0.1 adserver.matchcraft.com
`127.0.0.1 www.dnps.com
`127.0.0.1 creative.whi.co.nz
`127.0.0.1 rmedia.boston.com
`127.0.0.1 webaffiliate.covad.com
`127.0.0.1 ad.iwin.com
`127.0.0.1 www.nailitonline2.com
`127.0.0.1 mds.centrport.net
`127.0.0.1 oas.dispatch.com
`127.0.0.1 adserver.ads360.com
`127.0.0.1 banners.adultfriendfinder.com
`127.0.0.1 ads.as4x.tmcs.net
`127.0.0.1 ads.clickagents.com
`127.0.0.1 banners.chek.com
`127.0.0.1 zi.r.tv.com
`127.0.0.1 ph-ad19.focalink.com
`127.0.0.1 ads.greensboro.com
`127.0.0.1 ad2.adcept.net
`127.0.0.1 ads.colo.kiva.net
`127.0.0.1 adsrv.iol.co.za
`127.0.0.1 mjxads.internet.com
`127.0.0.1 adimage.asiaone.com.sg
`127.0.0.1 ads.vnuemedia.com
`127.0.0.1 affiliate.doteasy.com
`127.0.0.1 m.tribalfusion.com
`127.0.0.1 oas.lee.net
`127.0.0.1 www.banneroverdrive.com
`127.0.0.1 ad3.peel.com
`127.0.0.1 ad1.peel.comwww.xbn.ru
`127.0.0.1 adserver.snowball.com
`127.0.0.1 media15.fastclick.net
`127.0.0.1 ads5.advance.net
`127.0.0.1 ads3.advance.net
`127.0.0.1 ads2.advance.net
`127.0.0.1 ads.advance.net
`127.0.0.1 usbytecom.orbitcycle.com
`127.0.0.1 adbanner.sweepsclub.com
`127.0.0.1 oas.villagevoice.com
`127.0.0.1 www.ad-flow.com
`127.0.0.1 ads.guardian.co.uk
`127.0.0.1 ads.hitcents.com
`127.0.0.1 media19.fastclick.net
`127.0.0.1 a.tribalfusion.com
`127.0.0.1 ads.nypost.com
`127.0.0.1 ads.premiumnetwork.com
`127.0.0.1 ads.ad-flow.com
`127.0.0.1 adserver.hispavista.com
`127.0.0.1 ads.musiccity.com
`127.0.0.1 banners.revenuelink.com
`127.0.0.1 ads1.sptimes.com
`127.0.0.1 adserver.bizland-inc.net
`127.0.0.1 ads.adtegrity.net
`127.0.0.1 media13.fastclick.net
`127.0.0.1 adserver.ukplus.co.uk
`127.0.0.1 ads.live365.com
`127.0.0.1 ads.fredericksburg.com
`127.0.0.1 banners.affiliatefuel.com
`127.0.0.1 ar.atwola.com
`127.0.0.1 ads.bigcitytools.com
`127.0.0.1 netshelter.adtrix.com
`127.0.0.1 y.ibsys.com
`127.0.0.1 adserver.nydailynews.com
`127.0.0.1 s0b.bluestreak.com
`127.0.0.1 images.scripps.com
`127.0.0.1 images.cybereps.com
`127.0.0.1 altfarm.mediaplex.com
`127.0.0.1 krd.realcities.com
`127.0.0.1 www3.bannerspace.com
`127.0.0.1 view.atdmt.com
`127.0.0.1 ads7.advance.net
`127.0.0.1 ad.abcnews.com
`127.0.0.1 ads.newsquest.co.uk
`127.0.0.1 secure.webconnect.net
`127.0.0.1 ads.nandomedia.com
`127.0.0.1 banners.babylon-x.com
`127.0.0.1 media17.fastclick.net
`127.0.0.1 techreview-images.adbureau.net
`127.0.0.1 ads.exhedra.com
`127.0.0.1 ad.trafficmp.com
`127.0.0.1 realmedia-a800.d4p.net
`127.0.0.1 banner.northsky.com
`127.0.0.1 ftp.nacorp.com
`127.0.0.1 www.digitalbettingcasinos.com
`127.0.0.1 c1.zedo.com
`127.0.0.1 ads4.condenet.com
`127.0.0.1 www.brilliantdigital.com
`127.0.0.1 desktop.kazaa.com
`127.0.0.1 shop.kazaa.com
`127.0.0.1 www.bonzi.com
`127.0.0.1 www.b3d.com
`127.0.0.1 neighborhood.standard.net
`127.0.0.1 ads.telegraph.co.uk
`127.0.0.1 spinbox.techtracker.com
`127.0.0.1 toads.osdn.com
`127.0.0.1 ads.themes.org
`127.0.0.1 adserver.trb.com
`127.0.0.1 media.fastclick.net
`127.0.0.1 banner.easyspace.com
`127.0.0.1 www.banner2u.com
`127.0.0.1 ads.thestar.com
`127.0.0.1 ads.digitalmedianet.com
`127.0.0.1 www.fineclicks.com
`127.0.0.1 ads.mdchoice.com
`127.0.0.1 ad.horvitznewspapers.net
`127.0.0.1 adtegrity.thruport.com
`127.0.0.1 a.mktw.net
`127.0.0.1 ads.pennyweb.com
`127.0.0.1 www3.ad.tomshardware.com
`127.0.0.1 www4.ad.tomshardware.com
`127.0.0.1 www6.ad.tomshardware.com
`127.0.0.1 www8.ad.tomshardware.com
`127.0.0.1 www15.ad.tomshardware.com
`127.0.0.1 ads.forbes.com
`127.0.0.1 ads.desmoinesregister.com
`127.0.0.1 adserver.tribuneinteractive.com
`127.0.0.1 bannerads.anytimenews.com
`127.0.0.1 ads1.condenet.com
`127.0.0.1 adserver.anm.co.uk
`127.0.0.1 zrap.zdnet.com.com
`127.0.0.1 bidclix.net
`127.0.0.1 media.popuptraffic.com
`127.0.0.1 coreg.flashtrack.net
`127.0.0.1 rmads.msn.com
`127.0.0.1 ads.icq.com
`127.0.0.1 cb.icq.com
`127.0.0.1 cf.icq.com
`127.0.0.1 www2.newtopsites.com
`127.0.0.1 adserv.internetfuel.com
`127.0.0.1 images.fastclick.net
`127.0.0.1 adserver.securityfocus.com
`127.0.0.1 www.avsads.com
`127.0.0.1 banners.moviegoods.com
`127.0.0.1 ads.bitsonthewire.com
`127.0.0.1 ads.iambic.com
`127.0.0.1 sfads.osdn.com
`127.0.0.1 fl01.ct2.comclick.com
`127.0.0.1 adserver.phillyburbs.com
`127.0.0.1 marketing.nyi.net
`127.0.0.1 www.netflip.com
`127.0.0.1 image.imgfarm.com
`127.0.0.1 ads.viaarena.com
`127.0.0.1 phpads2.cnpapers.com
`127.0.0.1 ads.astalavista.us
`127.0.0.1 banner.coza.com
`127.0.0.1 adcreative.tribuneinteractive.com
`127.0.0.1 ads.democratandchronicle.com
`127.0.0.1 adlog.com.com
`127.0.0.1 adimg.com.com
`127.0.0.1 adimage.bankrate.com
`127.0.0.1 ads.mediadevil.com
`127.0.0.1 imageserv.adtech.de
`127.0.0.1 ad.se.doubleclick.net
`127.0.0.1 ads.cashsurfers.com
`127.0.0.1 ads.specificpop.com
`127.0.0.1 z1.adserver.com
`127.0.0.1 images.bizrate.com
`127.0.0.1 q.pni.com
`127.0.0.1 ad01.mediacorpsingapore.com
`127.0.0.1 adimage.asia1.com.sg
`127.0.0.1 images.newsx.cc
`127.0.0.1 www.adireland.com
`127.0.0.1 ads.iafrica.com
`127.0.0.1 ads.nyi.net
`127.0.0.1 geoads.osdn.com
`127.0.0.1 www.crisscross.com
`127.0.0.1 netcomm.spinbox.net
`127.0.0.1 i.i.com.com
`127.0.0.1 ads.videoaxs.com
`127.0.0.1 mediamgr.ugo.com
`127.0.0.1 adserver.pollstar.com
`127.0.0.1 information.gopher.com
`127.0.0.1 ads.adviva.net
`127.0.0.1 adsrv.bankrate.com
`127.0.0.1 a207.p.f.qz3.net
`127.0.0.1 ehg-bestbuy.hitbox.com
`127.0.0.1 ehg-intel.hitbox.com
`127.0.0.1 ehg-espn.hitbox.com
`127.0.0.1 ehg-macromedia.hitbox.com
`127.0.0.1 ehg-dig.hitbox.com
`127.0.0.1 speed.pointroll.com
`127.0.0.1 amch.questionmarket.com
`127.0.0.1 ads.gamespy.com
`127.0.0.1 spd.atdmt.com
`127.0.0.1 ads.columbian.com
`127.0.0.1 clickit.go2net.com
`127.0.0.1 vpdc.ru4.com
`127.0.0.1 ads.developershed.com
`127.0.0.1 ads.globeandmail.com
`127.0.0.1 ads.nerve.com
`127.0.0.1 iv.doubleclick.net
`127.0.0.1 ads2.condenet.com
`127.0.0.1 www.burstnet.com
`127.0.0.1 ads5.canoe.ca
`127.0.0.1 askmen.thruport.com
`127.0.0.1 adsrv2.gainesvillesun.com
`127.0.0.1 ads.theolympian.com
`127.0.0.1 ads.courierpostonline.com
`127.0.0.1 i.timeinc.net
`127.0.0.1 oasads.whitepages.com
`127.0.0.1 rad.msn.com
`127.0.0.1 serve.thisbanner.com
`127.0.0.1 images.trafficmp.com
`127.0.0.1 www.kaplanindex.com
`127.0.0.1 kaplanindex.com
`127.0.0.1 1.httpdads.com
`127.0.0.1 spinbox.maccentral.com
`127.0.0.1 akaads-abc.starwave.com
`127.0.0.1 webad.ajeeb.com
`127.0.0.1 ads.granadamedia.com
`127.0.0.1 oas.uniontrib.com
`127.0.0.1 ads.wnd.com
`127.0.0.1 a3.suntimes.com
`127.0.0.1 tmsads.tribune.com
`127.0.0.1 ads.peel.com
`127.0.0.1 ads.mh5.com
`127.0.0.1 ad.usatoday.com
`127.0.0.1 adserver.digitalpartners.com
`127.0.0.1 ads.mediaturf.net
`127.0.0.1 ads4.clearchannel.com
`127.0.0.1 ads.clearchannel.com
`127.0.0.1 ads2.clearchannel.com
`127.0.0.1 ads.jacksonsun.com
`127.0.0.1 servads.aip.org
`127.0.0.1 ad.au.doubleclick.net
`127.0.0.1 adng.ascii24.com
`127.0.0.1 engage.speedera.net
`127.0.0.1 ads.msn-ppe.com
`127.0.0.1 ad.openfind.com.tw
`127.0.0.1 adi.mainichi.co.jp
`127.0.0.1 ads.northjersey.com
`127.0.0.1 ad.moscowtimes.ru
`127.0.0.1 banners.valuead.com
`127.0.0.1 ad1.aaddzz.com
`127.0.0.1 ds.eyeblaster.com
`127.0.0.1 adserver.digitalpartners.com
`127.0.0.1 oas.uniontrib.com
`127.0.0.1 ads.statesmanjournal.com
`127.0.0.1 ads.centralohio.com
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\system32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\system32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\system32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
+C:\WINDOWS\system32\notepad.exe
*C:\WINDOWS\notepad.exe
+C:\WINDOWS\system32\eFaxview.exe
*C:\WINDOWS\eFaxview.exe
+C:\WINDOWS\system32\slrundll.exe
*C:\WINDOWS\slrundll.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+324=\SystemRoot\System32\smss.exe
*C:\WINDOWS\system32\ntdll.dll
+372=\??\C:\WINDOWS\system32\csrss.exe
*C:\WINDOWS\system32\ntdll.dll
*C:\WINDOWS\system32\CSRSRV.dll
*C:\WINDOWS\system32\basesrv.dll
*C:\WINDOWS\system32\winsrv.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\KERNEL32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\Apphelp.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\sxs.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\Program Files\Webroot\Spy Sweeper\sis.dll
*C:\WINDOWS\system32\oleaut32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\ole32.dll
+396=\??\C:\WINDOWS\system32\winlogon.exe
*C:\WINDOWS\system32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\AUTHZ.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\NDdeApi.dll
*C:\WINDOWS\system32\PROFMAP.dll
*C:\WINDOWS\system32\NETAPI32.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\PSAPI.DLL
*C:\WINDOWS\system32\REGAPI.dll
*C:\WINDOWS\system32\Secur32.dll
*C:\WINDOWS\system32\SETUPAPI.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\WINSTA.dll
*C:\WINDOWS\system32\WINTRUST.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\system32\WS2_32.dll
*C:\WINDOWS\system32\WS2HELP.dll
*C:\WINDOWS\system32\APITRAP.DLL
*C:\WINDOWS\system32\MSGINA.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\COMCTL32.dll
*C:\WINDOWS\system32\ODBC32.dll
*C:\WINDOWS\system32\comdlg32.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
*C:\WINDOWS\system32\odbcint.dll
*C:\WINDOWS\system32\SHSVCS.dll
*C:\WINDOWS\system32\sfc.dll
*C:\WINDOWS\system32\sfc_os.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\Apphelp.dll
*C:\WINDOWS\system32\WINSCARD.DLL
*C:\WINDOWS\system32\WTSAPI32.dll
*C:\WINDOWS\system32\uxtheme.dll
*C:\WINDOWS\system32\WINMM.dll
*C:\WINDOWS\system32\cscdll.dll
*C:\WINDOWS\system32\WlNotify.dll
*C:\WINDOWS\system32\WINSPOOL.DRV
*C:\WINDOWS\system32\MPR.dll
*C:\WINDOWS\system32\rsaenh.dll
*C:\WINDOWS\system32\SAMLIB.dll
*C:\WINDOWS\system32\cscui.dll
*C:\WINDOWS\system32\MPRAPI.dll
*C:\WINDOWS\system32\ACTIVEDS.dll
*C:\WINDOWS\system32\adsldpc.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\ATL.DLL
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\rtutils.dll
*C:\WINDOWS\system32\xpsp2res.dll
*C:\WINDOWS\system32\NTMARTA.DLL
*C:\WINDOWS\system32\msv1_0.dll
*C:\WINDOWS\system32\iphlpapi.dll
*C:\WINDOWS\system32\sxs.dll
*C:\WINDOWS\system32\wdmaud.drv
*C:\WINDOWS\system32\msacm32.drv
*C:\WINDOWS\system32\MSACM32.dll
*C:\WINDOWS\system32\midimap.dll
*C:\WINDOWS\system32\COMRes.dll
*C:\WINDOWS\system32\CLBCATQ.DLL
*C:\Program Files\Webroot\Spy Sweeper\sis.dll
+440=C:\WINDOWS\system32\services.exe
*C:\WINDOWS\system32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\SCESRV.dll
*C:\WINDOWS\system32\AUTHZ.dll
*C:\WINDOWS\system32\umpnpmgr.dll
*C:\WINDOWS\system32\WINSTA.dll
*C:\WINDOWS\system32\NETAPI32.dll
*C:\WINDOWS\system32\NCObjAPI.DLL
*C:\WINDOWS\system32\MSVCP60.dll
*C:\WINDOWS\system32\ShimEng.dll
*C:\WINDOWS\AppPatch\AcGenral.DLL
*C:\WINDOWS\system32\WINMM.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\MSACM32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\UxTheme.dll
*C:\WINDOWS\system32\APITRAP.DLL
*C:\WINDOWS\system32\psapi.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\system32\secur32.dll
*C:\WINDOWS\system32\Apphelp.dll
*C:\WINDOWS\system32\eventlog.dll
*C:\WINDOWS\system32\WS2_32.dll
*C:\WINDOWS\system32\WS2HELP.dll
*C:\WINDOWS\system32\wtsapi32.dll
*C:\Program Files\Webroot\Spy Sweeper\sis.dll
+452=C:\WINDOWS\system32\lsass.exe
*C:\WINDOWS\system32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\LSASRV.dll
*C:\WINDOWS\system32\MPR.dll
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\NETAPI32.dll
*C:\WINDOWS\system32\NTDSAPI.dll
*C:\WINDOWS\system32\DNSAPI.dll
*C:\WINDOWS\system32\WS2_32.dll
*C:\WINDOWS\system32\WS2HELP.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\Secur32.dll
*C:\WINDOWS\system32\SAMLIB.dll
*C:\WINDOWS\system32\SAMSRV.dll
*C:\WINDOWS\system32\cryptdll.dll
*C:\WINDOWS\system32\ShimEng.dll
*C:\WINDOWS\AppPatch\AcGenral.DLL
*C:\WINDOWS\system32\WINMM.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\MSACM32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\UxTheme.dll
*C:\WINDOWS\system32\APITRAP.DLL
*C:\WINDOWS\system32\psapi.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\system32\msprivs.dll
*C:\WINDOWS\system32\kerberos.dll
*C:\WINDOWS\system32\msv1_0.dll
*C:\WINDOWS\system32\iphlpapi.dll
*C:\WINDOWS\system32\netlogon.dll
*C:\WINDOWS\system32\w32time.dll
*C:\WINDOWS\system32\MSVCP60.dll
*C:\WINDOWS\system32\schannel.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\wdigest.dll
*C:\WINDOWS\system32\rsaenh.dll
*C:\WINDOWS\system32\scecli.dll
*C:\WINDOWS\system32\SETUPAPI.dll
*C:\WINDOWS\system32\ipsecsvc.dll
*C:\WINDOWS\system32\AUTHZ.dll
*C:\WINDOWS\system32\oakley.DLL
*C:\WINDOWS\system32\WINIPSEC.DLL
*C:\WINDOWS\system32\pstorsvc.dll
*C:\WINDOWS\system32\mswsock.dll
*C:\WINDOWS\system32\hnetcfg.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\system32\psbase.dll
*C:\WINDOWS\system32\dssenh.dll
*C:\Program Files\Webroot\Spy Sweeper\sis.dll
+596=C:\WINDOWS\system32\svchost.exe
*C:\WINDOWS\system32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\ShimEng.dll
*C:\WINDOWS\AppPatch\AcGenral.DLL
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\WINMM.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\MSACM32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\UxTheme.dll
*C:\WINDOWS\system32\APITRAP.DLL
*C:\WINDOWS\system32\psapi.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\system32\NTMARTA.DLL
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\SAMLIB.dll
*c:\windows\system32\rpcss.dll
*c:\windows\system32\Secur32.dll
*c:\windows\system32\WS2_32.dll
*c:\windows\system32\WS2HELP.dll
*C:\WINDOWS\system32\xpsp2res.dll
*C:\WINDOWS\system32\CLBCATQ.DLL
*C:\WINDOWS\system32\COMRes.dll
*C:\WINDOWS\system32\Apphelp.dll
*C:\Program Files\Webroot\Spy Sweeper\sis.dll
*C:\WINDOWS\system32\WTSAPI32.dll
*C:\WINDOWS\system32\WINSTA.dll
*C:\WINDOWS\system32\NETAPI32.dll
*C:\WINDOWS\system32\msv1_0.dll
*C:\WINDOWS\system32\iphlpapi.dll
*c:\windows\system32\termsrv.dll
*c:\windows\system32\ICAAPI.dll
*c:\windows\system32\SETUPAPI.dll
*C:\WINDOWS\system32\WINTRUST.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*c:\windows\system32\AUTHZ.dll
*c:\windows\system32\mstlsapi.dll
*c:\windows\system32\ACTIVEDS.dll
*c:\windows\system32\adsldpc.dll
*c:\windows\system32\ATL.DLL
*C:\WINDOWS\system32\REGAPI.dll
*C:\WINDOWS\system32\rsaenh.dll
+644=C:\WINDOWS\system32\svchost.exe
*C:\WINDOWS\system32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\system32\ShimEng.dll
*C:\WINDOWS\AppPatch\AcGenral.DLL
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\system32\WINMM.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\system32\MSACM32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\system32\UxTheme.dll
*C:\WINDOWS\system32\APITRAP.DLL
*C:\WINDOWS\system32\psapi.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*c:\windows\system32\rpcss.dll
*c:\windows\system32\Secur32.dll
*c:\windows\system32\WS2_32.dll
*c:\windows\system32\WS2HELP.dll
*C:\WINDOWS\system32\xpsp2res.dll
*C:\WINDOWS\system32\rsaenh.dll
*C:\WINDOWS\system32\mswsock.dll
*C:\WINDOWS\system32\hnetcfg.dll
*C:\WINDOWS\System32\wshtcpip.dll
*C:\WINDOWS\system32\DNSAPI.dll
*C:\WINDOWS\system32\iphlpapi.dll
*C:\WINDOWS\System32\winrnr.dll
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\system32\rasadhlp.dll
*C:\WINDOWS\system32\CLBCATQ.DLL
*C:\WINDOWS\system32\COMRes.dll
*C:\Program Files\Webroot\Spy Sweeper\sis.dll
*C:\WINDOWS\system32\msi.dll
+684=C:\WINDOWS\System32\svchost.exe
*C:\WINDOWS\system32\ntdll.dll
*C:\WINDOWS\system32\kernel32.dll
*C:\WINDOWS\system32\ADVAPI32.dll
*C:\WINDOWS\system32\RPCRT4.dll
*C:\WINDOWS\System32\ShimEng.dll
*C:\WINDOWS\AppPatch\AcGenral.DLL
*C:\WINDOWS\system32\USER32.dll
*C:\WINDOWS\system32\GDI32.dll
*C:\WINDOWS\System32\WINMM.dll
*C:\WINDOWS\system32\ole32.dll
*C:\WINDOWS\system32\msvcrt.dll
*C:\WINDOWS\system32\OLEAUT32.dll
*C:\WINDOWS\System32\MSACM32.dll
*C:\WINDOWS\system32\VERSION.dll
*C:\WINDOWS\system32\SHELL32.dll
*C:\WINDOWS\system32\SHLWAPI.dll
*C:\WINDOWS\system32\USERENV.dll
*C:\WINDOWS\System32\UxTheme.dll
*C:\WINDOWS\System32\APITRAP.DLL
*C:\WINDOWS\System32\psapi.dll
*C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
*C:\WINDOWS\system32\comctl32.dll
*C:\WINDOWS\System32\NTMARTA.DLL
*C:\WINDOWS\system32\WLDAP32.dll
*C:\WINDOWS\System32\SAMLIB.dll
*C:\WINDOWS\System32\xpsp2res.dll
*c:\windows\system32\shsvcs.dll
*C:\WINDOWS\System32\WINSTA.dll
*C:\WINDOWS\system32\NETAPI32.dll
*c:\windows\system32\dhcpcsvc.dll
*c:\windows\system32\DNSAPI.dll
*c:\windows\system32\WS2_32.dll
*c:\windows\system32\WS2HELP.dll
*c:\windows\system32\iphlpapi.dll
*c:\windows\system32\Secur32.dll
*C:\WINDOWS\System32\rsaenh.dll
*C:\WINDOWS\system32\mswsock.dll
*C:\WINDOWS\System32\hnetcfg.dll
*C:\WINDOWS\System32\wshtcpip.dll
*c:\windows\system32\wzcsvc.dll
*c:\windows\system32\rtutils.dll
*c:\windows\system32\WMI.dll
*C:\WINDOWS\system32\CRYPT32.dll
*C:\WINDOWS\system32\MSASN1.dll
*c:\windows\system32\WTSAPI32.dll
*c:\windows\system32\ESENT.dll
*c:\windows\system32\ATL.DLL
*C:\WINDOWS\System32\rastls.dll
*C:\WINDOWS\system32\CRYPTUI.dll
*C:\WINDOWS\system32\WINTRUST.dll
*C:\WINDOWS\system32\IMAGEHLP.dll
*C:\WINDOWS\system32\WININET.dll
*C:\WINDOWS\System32\MPRAPI.dll
*C:\WINDOWS\System32\ACTIVEDS.dll
*C:\WINDOWS\System32\adsldpc.dll
*C:\WINDOWS\System32\SETUPAPI.dll
*C:\WINDOWS\System32\RASAPI32.dll
*C:\WINDOWS\System32\rasman.dll
*C:\WINDOWS\System32\TAPI32.dll
*C:\WINDOWS\System32\SCHANNEL.dll
*C:\WINDOWS\System32\WinSCard.dll
*C:\WINDOWS\System32\raschap.dll
*C:\WINDOWS\system32\msv1_0.dll
*C:\WINDOWS\System32\CLBCATQ.DLL
*C:\WINDOWS\System32\COMRes.dll
*c:\windows\system32\schedsvc.dll
*c:\windows\system32\NTDSAPI.dll
*C:\WINDOWS\System32\MSIDLE.DLL
*c:\windows\system32\audiosrv.dll
*c:\windows\system32\wkssvc.dll
*c:\windows\system32\cryptsvc.dll
*c:\windows\system32\certcli.dll
*c:\windows\system32\ersvc.dll
*c:\windows\system32\es.dll
*c:\windows\pchealth\helpctr\binaries\pchsvc.dll
*c:\windows\system32\srvsvc.dll
*C:\WINDOWS\System32\winspool.drv
*c:\windows\system32\netman.dll
*c:\windows\system32\netshell.dll
*c:\windows\system32\credui.dll
*c:\windows\system32\WZCSAPI.DLL
*C:\WINDOWS\System32\upnp.dll
*C:\WINDOWS\System32\WINHTTP.dll
*C:\WINDOWS\System32\SSDPAPI.dll
*c:\windows\system32\seclogon.dll
*c:\windows\system32\sens.dll
*C:\WINDOWS\System32\wbem\wbemcomn.dll
*c:\windows\system32\srsvc.dll
*c:\windows\system32\POWRPROF.dll
*C:\WINDOWS\System32\netcfgx.dll
*C:\WINDOWS\System32\CLUSAPI.dll
*C:\WINDOWS\System32\SXS.DLL
*C:\WINDOWS\System32\rasmans.dll
*C:\WINDOWS\System32\WINIPSEC.DLL
*c:\windows\system32\trkwks.dll
*c:\windows\system32\tapisrv.dll
*c:\windows\system32\w32time.dll
*c:\windows\system32\MSVCP60.dll
*c:\windows\system32\wbem\wmisvc.dll
*C:\WINDOWS\system32\VSSAPI.DLL
*c:\windows\system32\wuauserv.dll
*c:\windows\system32\browser.dll
*C:\WINDOWS\system32\wuaueng.dll
*C:\WINDOWS\System32\ADVPACK.dll
*C:\WINDOWS\System32\SHFOLDER.dll
*C:\WINDOWS\System32\Cabinet.dll
*C:\WINDOWS\System32\mspatcha.dll
*C:\WINDOWS\System32\sfc.dll
*C:\WINDOWS\System32\sfc_os.dll
*c:\windows\system32\ipnathlp.dll
*c:\windows\system32\AUTHZ.dll
*c:\windows\system32\wscsvc.dll
*c:\windows\system32\msi.dll
*C:\WINDOWS\system32\comsvcs.dll
*C:\WINDOWS\system32\MTXCLU.DLL
*C:\WINDOWS\system32\WSOCK32.dll
*C:\WINDOWS\system32\colbact.DLL
*C:\WINDOWS\System32\RESUTILS.D

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 PM

Posted 21 May 2005 - 10:00 PM

Ok your definitely infected.

You are using an outdated version of hijackthis.

Please download the newer version from the following link:

HijackThis Download Site

Once it is downloaded, extract the zip file to c:\hjt and navigate to the c:\hjt folder. Now double-click on hijackthis.exe and when the window opens, put a checkmark in the box at the bottom that states Don't show this frame again when I start HijackThis.

Then click on the button labeled None of the above, just start the program. You will now be presented with the main HJT screen.

Press the Scan button and then when it is done, the Save Log button. Save this log in c:\hjt, and then copy and paste the contents of the notepad it opens as a reply to this post.

#14 jupiter

jupiter
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 23 May 2005 - 07:11 AM

I blew out my old version of HJT and installed the new one. Ran the program and the log is posted below.

Logfile of HijackThis v1.99.1
Scan saved at 8:06:45 AM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKSlapi.exe
C:\Program Files\Caere\PageKeeper30\SYSTEM\PKTOPASS.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscombroadband.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscombroadband.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUp Hitman] C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [OnlineStart] C:\DOCUME~1\PREFER~1\APPLIC~1\COALME~1\heartwait.exe
O4 - Global Startup: PopUp Hitman.lnk = C:\Program Files\Prolific Publishing, Inc\PopUp Hitman\PopUp Hitman.exe
O4 - Global Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...367/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Hope this helps you. Thanks, again.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:59 PM

Posted 23 May 2005 - 05:20 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKCU\..\Run: [OnlineStart] C:\DOCUME~1\PREFER~1\APPLIC~1\COALME~1\heartwait.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\DOCUME~1\PREFER~1\APPLIC~1\COALME~1\heartwait.exe <-- Search for this file and delete it and the directory it is in.

Reboot your computer to go back to normal mode and post a new log and tell me if its better




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users