Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My log, and does this fix as.adwave?


  • Please log in to reply
15 replies to this topic

#1 janie_a16

janie_a16

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 08 July 2005 - 01:08 PM

hi, my name is jane and i am having a nightmare of a time with these popup adds that keep coming up on my internet explorer (i have windows xp). they all begin with http://as.adwave etc. so i am assuming they are all from the same place. i tried a million other services and run adaware and spybot and norton antivirus on a regular basis, how do i get rid of this thing? does it have anything to do with huntbar? (my scans keep finding it but can't get rid of it)

i ran hijack this and this was the log i came up with:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:41 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\default\Desktop\everything\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\plugins\Npcdn32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaver...st/twophase.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26459da4bad57f0ef920/...ip/RdxIE601.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{538996C2-E9E4-46DC-93D2-B497173C6D92}: NameServer = 128.122.253.92,128.122.253.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{F125CC5A-3399-40A4-877B-AF97ABDE03EB}: Domain = wm.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wm.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wm.edu
O20 - AppInit_DLLs: GWMHOOK.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: wineyes - C:\WINDOWS\SYSTEM32\welogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Window-Eyes Professional (windoweyes) - Unknown owner - C:\WINEYES\WESERV.EXE

please let me know if you see anything i need to remove, and also, if this is not how i get rid of this adwave garbage, does anyone know how?

thanks,
jane

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 July 2005 - 04:04 PM

:thumbsup: Hiya Janie and Welcome to the Bleeping Computer! :flowers:


I have am idea that this is the l2m Infection,so download the l2m fix from here

http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat while running the l2mfix>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its pre-determined System32 folder and try running the tool again!

#3 janie_a16

janie_a16
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 13 July 2005 - 12:49 PM

Sorry for taking so long, I've been out of town. Here is my log from the program you suggested:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wineyes]
"Logoff"="NotifyLogoff"
"DllName"="welogon.dll"
"Logon"="NotifyLogon"
"Unlock"="NotifyUnlock"
"Lock"="NotifyLock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Mon May 2 2005 4:52:34p A.... 1,019,904 996.00 K
cdfview.dll Mon May 2 2005 4:52:34p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
hhsetup.dll Thu May 26 2005 10:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 9:46:00p A.... 254,976 249.00 K
iepeers.dll Mon May 2 2005 4:52:34p A.... 250,880 245.00 K
inseng.dll Mon May 2 2005 4:52:34p A.... 96,256 94.00 K
itircl.dll Thu May 26 2005 10:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 10:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
mshtml.dll Mon May 2 2005 4:52:36p A.... 3,012,608 2.87 M
mshtmled.dll Mon May 2 2005 4:52:36p A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Mon May 2 2005 4:52:36p A.... 146,432 143.00 K
pngfilt.dll Mon May 2 2005 4:52:36p A.... 39,424 38.50 K
shdocvw.dll Mon May 2 2005 4:52:36p A.... 1,483,776 1.41 M
shlwapi.dll Mon May 2 2005 4:52:36p A.... 473,600 462.50 K
urlmon.dll Mon May 2 2005 4:52:36p A.... 607,744 593.50 K
wininet.dll Mon May 2 2005 4:52:36p A.... 657,920 642.50 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xpsp3res.dll Mon May 16 2005 8:25:36p ..... 15,360 15.00 K

27 items found: 27 files, 0 directories.
Total of file sizes: 14,519,968 bytes 13.84 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
set10e.tmp Tue Jun 28 2005 9:46:00p A.... 74,240 72.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 74,240 bytes 72.50 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 6C3D-8A49

Directory of C:\WINDOWS\System32

06/24/2005 01:00 AM <DIR> dllcache
01/11/2002 10:05 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 13,957,066,752 bytes free


Thank you so much in advance, I am SOOOO grateful, I am a poor med student and paying someone 100/hr to fix this is just not an option. Sincerely, Jane

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 July 2005 - 12:53 PM

OK,do me a huge favor!!

The l2mfix has been updated as of yesterday I believe!

Remove the Copy you have and any folders it created and use the Same link and Download and run just as instructed before!

Lets see the New Log

#5 janie_a16

janie_a16
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 14 July 2005 - 12:17 AM

i downloaded the program and ran the log on 7/13 (same day as the above post). should i try to redo it tomorrow? or is the above log ok? i totally don't mind redoing it, but from what you're saying it sounds like mine is hte updated one.

thanks, jane

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 July 2005 - 07:49 AM

That is the later version but I really dont see the point in trying to find the new one now!

Lets continue with what we have and I apologize for the delay!


Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!



Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Run Cleanup,when prompted to log off>> Select No

Scan the PC with Ewido just as described in the link,make sure to Save the Report

Scan the System with Ad Aware,remove everything it finds and delete all quaratine files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Kaspersky

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Download the Hoster from here:
http://www.funkytoad.com/download/hoster.zip
Press "Restore Original Hosts" and press "OK"!
Exit Program!


Post back with a fresh HijackThis log and the reports from Ewido and Kaspersky!

#7 janie_a16

janie_a16
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 15 July 2005 - 12:32 PM

So i am half way through your instructions. I am stuck on the download "Cleanup!" step since the link on the page you posted is not allowing me to download the program. I tried googling the program but since it is such a generic name i got a million results and i didn't know which one to select. could you please find another link for that program? (sorry)

Here are the first logs you requested (12mfix log for run fix and hijack this log). I have downoaded and updated both ewido and ad-aware se 1.06 and haven't run either. so i'll hold off until i hear back from you on the cleanup!

HERE IS MY 12mfix.bat LOG:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\default\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\default\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\default\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2296 'explorer.exe'
Killing PID 2296 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: 12mfixlog.txt (164 bytes security) (deflated 72%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 70%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 72%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: backregs/shell.reg (164 bytes security) (deflated 61%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wineyes]
"Logoff"="NotifyLogoff"
"DllName"="welogon.dll"
"Logon"="NotifyLogon"
"Unlock"="NotifyUnlock"
"Lock"="NotifyLock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************










AND HERE IS MY HIJACK THIS LOG:


Logfile of HijackThis v1.99.1
Scan saved at 12:47:27 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\default\Desktop\everything\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\plugins\Npcdn32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaver...st/twophase.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26459da4bad57f0ef920/...ip/RdxIE601.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{538996C2-E9E4-46DC-93D2-B497173C6D92}: NameServer = 128.122.253.92,128.122.253.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{F125CC5A-3399-40A4-877B-AF97ABDE03EB}: Domain = wm.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wm.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wm.edu
O20 - AppInit_DLLs: GWMHOOK.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: wineyes - C:\WINDOWS\SYSTEM32\welogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Window-Eyes Professional (windoweyes) - Unknown owner - C:\WINEYES\WESERV.EXE



THANKS AGAIN! -Jane

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 July 2005 - 02:06 PM

Sorry about that,here is a link that works
CleanUp! 4.0:
http://downloads.stevengould.org/cleanup/CleanUp40.exe


I also need to get another Scan if the System, please!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete-> Locate WinPFind.txt back in the WinPFind Folder!



Post those Results once complete!

#9 janie_a16

janie_a16
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 15 July 2005 - 04:26 PM

ok, so now i have cleanup and i downloaded winPfind, next i'm going to do all the scans in safe mode. but i wanted to ask what order you want the winPfind done in? you gave me the following steps previously:

1. reboot in safe mode
2. run cleanup
3. run Ewido and save report
4. run adaware and remove all and delete quarantined files
5. msconfig and enable everything in the startup
6. restart normal
7. install and scan with kaspersky and save report
8. download hoster.
9. post back hijackthis log and ewido and kaspersky reports.

when should i do winPfind?

thanks, jane

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 July 2005 - 06:23 PM

Ahhh....I see I am just full of brain farts today!

My apologies again! :thumbsup:

Run WinPFind Right After Ad Aware please!

Thanks so much for catching that!

#11 janie_a16

janie_a16
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 18 July 2005 - 11:40 AM

So i think i did everything. the logs and reports are posted below, but i wanted to tell you that when i started up normal after doing things in safemode my computer gave me the following error:

RUNDLL:

Error loading C:\PROGRA~1\NEWDOT~\NEWDOT~1.DLL

The specified module could not be found.

Also, a couple registration things came up and my system tray (not sure if that's the right term, in the lower right hand corner of the screen) was completely filled with icons for corel, etc. which weren't there before. is that normal?

Ok, moving on, here is the ewido report, the winpfind report, the kaspersky scan, and the new hijack this log:



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:15:48 PM, 7/17/2005
+ Report-Checksum: AF03B08

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{4438A5DC-E00B-41A0-B0E6-B63FD3B86EEE} -> Spyware.NetworkEssentials : Cleaned without backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\TypeLib\{4767C447-EF15-42F2-8809-68ADB7FA76F1} -> Spyware.NetworkEssentials : Cleaned without backup
HKLM\SOFTWARE\DelFin -> Spyware.Delfin : Cleaned without backup
HKLM\SOFTWARE\DelFin\PromulGate -> Spyware.Delfin : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer -> Spyware.Delfin : Cleaned without backup
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Cleaned without backup
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Cleaned without backup
HKLM\SOFTWARE\Toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned without backup
HKLM\SOFTWARE\WinTools -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\WinTools\nlibx4m -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\WinTools\nlibx4m\1q -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\WinTools\nlibx4m\et -> Spyware.WebSearch : Error during cleaning
:mozilla.286:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
:mozilla.287:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
:mozilla.288:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.289:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.290:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.298:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned without backup
:mozilla.304:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned without backup
:mozilla.314:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.315:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.316:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.317:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.318:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.319:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.320:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.321:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.322:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.323:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.324:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.325:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.326:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.327:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.328:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.329:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.330:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.331:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.332:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.333:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.334:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.335:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.336:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.337:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.338:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.339:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.340:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.341:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.342:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.343:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.344:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.345:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.346:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.347:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.348:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.349:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.350:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.351:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.352:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.353:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.354:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.355:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.356:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.357:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.360:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.361:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.362:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.363:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.364:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.365:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.366:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.367:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.368:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.369:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.370:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.371:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.372:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.373:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.374:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.375:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.376:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.377:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.378:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.379:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.380:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.381:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.382:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.383:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.384:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.385:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.386:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.387:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.388:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.389:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.390:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.391:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.392:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.393:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.394:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.395:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.396:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.397:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.398:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.399:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.400:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.401:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.402:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.403:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.404:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.405:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.406:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.407:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.408:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.409:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.410:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.411:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned without backup
:mozilla.412:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned without backup
:mozilla.413:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned without backup
:mozilla.414:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned without backup
:mozilla.422:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned without backup
:mozilla.423:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned without backup
:mozilla.430:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned without backup
:mozilla.444:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.445:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.446:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.447:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.448:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.462:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned without backup
:mozilla.463:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned without backup
:mozilla.464:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned without backup
:mozilla.476:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.477:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.478:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.479:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.480:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned without backup
:mozilla.481:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned without backup
:mozilla.482:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned without backup
:mozilla.483:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned without backup
:mozilla.484:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned without backup
:mozilla.485:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned without backup
:mozilla.486:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned without backup
:mozilla.487:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned without backup
:mozilla.488:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned without backup
:mozilla.495:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned without backup
:mozilla.507:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned without backup
:mozilla.508:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned without backup
:mozilla.528:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned without backup
:mozilla.559:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned without backup
:mozilla.565:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.574:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.576:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.596:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned without backup
:mozilla.599:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.603:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned without backup
:mozilla.618:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned without backup
:mozilla.644:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.673:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.709:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.712:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.755:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.756:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.757:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.762:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned without backup
:mozilla.763:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Commission-junction : Cleaned without backup
:mozilla.790:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.803:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.804:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.806:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.809:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.813:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.814:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.815:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned without backup
:mozilla.846:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.847:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.919:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned without backup
:mozilla.923:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned without backup
:mozilla.924:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned without backup
:mozilla.929:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.931:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.935:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\xyj99ig5.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
C:\Documents and Settings\default\Desktop\everything\SMS-Stadt.exe -> Dialer.Generic : Cleaned without backup
C:\Program Files\MediaLoads\v1\ML.exe -> Spyware.DownloadWare : Cleaned without backup
C:\WINDOWS\fmpmfgfc.dll -> TrojanDownloader.Lemmy.u : Cleaned without backup
C:\WINDOWS\NDNuninstall4_50.exe -> Spyware.NewDotNet : Cleaned without backup
C:\WINDOWS\NDNuninstall4_80.exe -> Spyware.NewDotNet : Cleaned without backup
C:\WINDOWS\NDNuninstall5_20.exe -> Spyware.NewDotNet : Cleaned without backup
C:\WINDOWS\NDNuninstall5_64.exe -> Spyware.NewDotNet : Cleaned without backup
C:\WINDOWS\NDNuninstall6_10.exe -> Spyware.NewDotNet : Cleaned without backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned without backup


::Report End






WinPFINd report:




WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

Files found

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack C:\WINDOWS\01_P5.scr
aspack C:\WINDOWS\flashax.exe

Checking %System% folder...
PEC2 C:\WINDOWS\system32\dfrg.msc
aspack C:\WINDOWS\system32\jesterss.dll
PECompact2 C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\ntdll.dll
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...
PTech C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
6/23/2005 C:\WINDOWS\inf\oem38.inf
6/5/2005 C:\WINDOWS\Minidump\Mini060505-01.dmp
6/24/2005 C:\WINDOWS\Minidump\Mini062405-01.dmp
6/28/2005 C:\WINDOWS\Minidump\Mini062805-01.dmp
7/17/2005 C:\WINDOWS\system32\config\default.LOG
7/17/2005 C:\WINDOWS\system32\config\SAM.LOG
7/17/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/17/2005 C:\WINDOWS\system32\config\software.LOG
7/17/2005 C:\WINDOWS\system32\config\system.LOG
7/13/2005 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/14/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\76f35669-2f0c-4959-aedd-2d8f8032956f
7/14/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/17/2005 C:\WINDOWS\Tasks\SA.DAT

Checking Global Startup

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

Registry Entries Found

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Documents and Settings\default\Desktop\everything\security suite\context.dll
*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =
*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83BD3F}
=

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATIModeChange Ati2mdxx.exe
AtiPTA atiptaxx.exe
InCD C:\Program Files\Ahead\InCD\InCD.exe
Dimension4 C:\Program Files\D4\D4.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QD FastAndSafe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wineyes
= welogon.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f32main.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs GWMHOOK.DLL

Scan Complete
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.








Kaspersky scan:




-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Monday, July 18, 2005 12:23:04
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/07/2005
Kaspersky Anti-Virus database records: 130889
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 53238
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 3705 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09680000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09680001.VBN Infected: Exploit.HTML.Mht
C:\System Volume Information\_restore{C82027D2-CED2-45AE-84A3-B921DBC12390}\RP227\A0044767.dll Infected: Trojan-Downloader.Win32.Lemmy.u

Scan process completed.





and the new Hijack this log:






Logfile of HijackThis v1.99.1
Scan saved at 12:26:25 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\default\Desktop\everything\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NavNT\vptray.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\EXSHOW95.EXE
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\everything\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\whInstall\WhSurvey.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 July 2005 - 03:47 PM

Well Half of the Post got cut off so we will get what I can see and deal with anything else in the next post!

Configure Windows to Show All Hidden Files and Folders
Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

Go to Add\Remove Programs and Remove these if they exist there

WinTools
Webhancer



Locate and Delete

C:\WINDOWS\kaztvdtq.exe<< File

C:\Program Files\whInstall<< Folder

C:\Program Files\Common Files\WinTools<< Folder

C:\Program Files\NEWDOTNET<< Folder


Open HijackThis and put a check next to these

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;;localhost;<local>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\whInstall\WhSurvey.exe

O4 - HKLM\..\Run: [qdvlijjq] C:\WINDOWS\kaztvdtq.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

Make sure all Windows and Browsers are Closed and Click "Fix Checked"!!

Post back with a fresh HijackThis log!

#13 janie_a16

janie_a16
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 18 July 2005 - 04:27 PM

I couldn't find wintools and webhancer. also i went into my computer to show hidden files and i did find newdot but i couldn't find the following:

C:\WINDOWS\kaztvdtq.exe<< File

C:\Program Files\whInstall<< Folder

C:\Program Files\Common Files\WinTools<< Folder

Here is my new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:03 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\default\Desktop\everything\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D4\D4.exe
C:\Program Files\NavNT\vptray.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\EXSHOW95.EXE
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\default\Desktop\everything\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] C:\Toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\plugins\Npcdn32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaver...st/twophase.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26459da4bad57f0ef920/...ip/RdxIE601.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{538996C2-E9E4-46DC-93D2-B497173C6D92}: NameServer = 128.122.253.92,128.122.253.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{F125CC5A-3399-40A4-877B-AF97ABDE03EB}: Domain = wm.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wm.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wm.edu
O20 - AppInit_DLLs: GWMHOOK.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: wineyes - C:\WINDOWS\SYSTEM32\welogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\default\Desktop\everything\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\default\Desktop\everything\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Window-Eyes Professional (windoweyes) - Unknown owner - C:\WINEYES\WESERV.EXE

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 July 2005 - 06:28 AM

I am so sorry about this delay!

Some health issues came up and to be honest I lost track of everything!

That last HijackThis log looks good!

Is the PC acting any better and have you noticed any issues you can tell me about?

#15 janie_a16

janie_a16
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 21 July 2005 - 10:29 AM

oh my gosh, i'm so sorry to hear that, i hope things are better now? anyway, i haven't had any trouble at all but i wanted to ask a quick question. i went through all of this and obviously had you invest a lot of your time, what can i do in the future (as far as maintenance scans etc. which ones and how often) to prevent this stuff from occurring again. i have norton antivirus, should i buy a firewall?

also i just installed software for my new mp3 player (creative labs) is it possible that that included new spyware? (i already deleted all hte aol links and offers they put in, but i wouldn't know what else to look for)

thanks so much and i hope you are feeling much much better. maybe four years from now when i am quasi knowledgeable i can help you with health advice in return for your invaluable computer skills, lol. :thumbsup:

best wishes and thanks again,
jane




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users