Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log File


  • Please log in to reply
21 replies to this topic

#1 Darkstar765

Darkstar765

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 05 December 2005 - 07:03 PM

I have noticed that my computer has gotten slower over the past few months and now my computer will randomly freeze which has never happened before. I have McAfee virus scan and firewall and that doesnt seem to fix the problem. I keep getting this WinFix pop up also and is the only one i get. Thank you in advance with this problem.
Sincerly, Darkstar

Logfile of HijackThis v1.99.1
Scan saved at 3:41:50 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\awtqq.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...74/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1186b9534b8c60...ip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.com/kdx/Client403/kdx.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 AM

Posted 06 December 2005 - 12:10 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link for "SpySweeper" to download the program. NOTE: DO NOT click the Free Spyware Scan link.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log
David

#3 Darkstar765

Darkstar765
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 December 2005 - 06:01 PM

02:43 PM: Removal process initiated
02:43 PM: Quarantining: 360i Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@ct.360i[2].txt
02:43 PM: Quarantining: 888 Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@888[1].txt
02:43 PM: Quarantining: About Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@about[2].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@archaeology.about[1].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@forums.about[1].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@gogreece.about[1].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@search.about[1].txt
02:43 PM: Quarantining: Adecn Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@adecn[2].txt
02:43 PM: Quarantining: Adjuggler Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@rotator.adjuggler[2].txt
02:43 PM: Quarantining: AdKnowledge Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@adknowledge[2].txt
02:43 PM: Quarantining: Adlegend Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@adlegend[1].txt
02:43 PM: Quarantining: Adrevolver Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@adrevolver[1].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@adrevolver[3].txt
02:43 PM: Quarantining: Adultfriendfinder Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@adultfriendfinder[1].txt
02:43 PM: Quarantining: Ask Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@ask[1].txt
02:43 PM: Quarantining: Atwola Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@atwola[1].txt
02:43 PM: Quarantining: Azjmp Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@azjmp[2].txt
02:43 PM: Quarantining: Banner Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@banner[2].txt
02:43 PM: Quarantining: BannerSpace Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@bannerspace[2].txt
02:43 PM: Quarantining: Belnk Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@belnk[1].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@ath.belnk[2].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@dist.belnk[1].txt
02:43 PM: Quarantining: Bizrate Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@bizrate[2].txt
02:43 PM: Quarantining: BurstBeacon Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@www.burstbeacon[2].txt
02:43 PM: Quarantining: BurstNet Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@burstnet[1].txt
02:43 PM: Quarantining: Casalemedia Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@casalemedia[2].txt
02:43 PM: Quarantining: Cc214142 Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@ads.cc214142[1].txt
02:43 PM: Quarantining: Ccbill Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@ccbill[1].txt
02:43 PM: Quarantining: Clickandtrack Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@hits.clickandtrack[1].txt
02:43 PM: Quarantining: Clickbank Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@clickbank[1].txt
02:43 PM: Quarantining: Clicktracks Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@stats1.clicktracks[2].txt
02:43 PM: Quarantining: Clickzs Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@cz5.clickzs[2].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@vip.clickzs[2].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@vip2.clickzs[2].txt
02:43 PM: Quarantining: www.club-nikki Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@www.club-nikki[1].txt
02:43 PM: Quarantining: Dealtime Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@dealtime[2].txt
02:43 PM: Quarantining: Did-it Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@did-it[1].txt
02:43 PM: Quarantining: DirectTrack Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@rapidresponse.directtrack[2].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@ridemg.directtrack[2].txt
02:43 PM: Quarantining: Enhance Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@c.enhance[1].txt
02:43 PM: Quarantining: ExitExchange Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@exitexchange[1].txt
02:43 PM: Quarantining: Falkag Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@as-us.falkag[2].txt
02:43 PM: Quarantining: HBMediaPro Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@adopt.hbmediapro[2].txt
02:43 PM: Quarantining: Maxserving Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@maxserving[2].txt
02:43 PM: Quarantining: onestat.com Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@stat.onestat[2].txt
02:43 PM: Quarantining: Outster Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@outster[2].txt
02:43 PM: Quarantining: Realmedia Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@realmedia[1].txt
02:43 PM: Quarantining: ReliableStats Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@stats1.reliablestats[1].txt
02:43 PM: Quarantining: Reunion Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@reunion[2].txt
02:43 PM: Quarantining: revenue.net Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@revenue[1].txt
02:43 PM: Quarantining: Rn11 Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@rn11[2].txt
02:43 PM: Quarantining: Seeq Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@seeq[2].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@www.seeq[1].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@www48.seeq[1].txt
02:43 PM: Quarantining: Server.iad.Liveperson Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@server.iad.liveperson[2].txt
02:43 PM: Quarantining: Serving-sys Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@serving-sys[1].txt
02:43 PM: Quarantining: specificclick.com Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@adopt.specificclick[2].txt
02:43 PM: Quarantining: Statcounter Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@statcounter[1].txt
02:43 PM: Quarantining: Toplist Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@toplist[1].txt
02:43 PM: Quarantining: Tripod Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@tripod[1].txt
02:43 PM: Quarantining: Web-Stat Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@www.web-stat[2].txt
02:43 PM: Quarantining: WebSponsors Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@a.websponsors[1].txt
02:43 PM: Quarantining: Xren_cj Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@xren_cj[1].txt
02:43 PM: Quarantining: Yadro Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@yadro[2].txt
02:43 PM: Quarantining: Partypoker Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@partypoker[2].txt
02:43 PM: Quarantining: Empnads Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@empnads[2].txt
02:43 PM: Quarantining: Nextag Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@nextag[1].txt
02:43 PM: Quarantining: Virtumonde
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents.1
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents.1
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents.1\clsid
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents.1||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents.1\clsid||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents\clsid
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents\curver
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents\clsid||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents\curver||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents.1\clsid
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents.1||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents.1\clsid||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents\clsid
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents\curver
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents\clsid||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\msevents.msevents\curver||(-default-)
02:43 PM: Quarantining: WinAntiSpyware 2005
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck.1
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck.1
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\flags
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\helpdir
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0\win32
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\flags||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\helpdir||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0\win32||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\progid
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\programmable
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\typelib
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\versionindependentprogid
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32||threadingmodel
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\progid||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\typelib||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\versionindependentprogid||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck\clsid
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck\curver
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck\clsid||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck\curver||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck.1\clsid
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck.1||(-default-)
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck.1\clsid||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\flags
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\helpdir
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0\win32
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\flags||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\helpdir||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0\win32||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\progid
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\programmable
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\typelib
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\versionindependentprogid
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32||threadingmodel
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\progid||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\typelib||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\versionindependentprogid||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck\clsid
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck\curver
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck\clsid||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck\curver||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck.1\clsid
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck.1||(-default-)
02:43 PM: Registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck.1\clsid||(-default-)
02:43 PM: File: c:\documents and settings\jerry carollo\local settings\temp\ni.uwfx5_0001_n56m0311\setup.exe
02:43 PM: File: c:\documents and settings\jerry carollo\local settings\temp\winfixer2005setup.exe
02:43 PM: File: c:\windows\system32\drivers\dfdr.sys
02:43 PM: File: c:\program files\common files\winsoftware\fcrxml.dll
02:43 PM: File: c:\program files\common files\winsoftware\prcheck.dll
02:43 PM: Folder: c:\program files\common files\winsoftware
02:43 PM: Quarantining: WebSearch Toolbar
02:43 PM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc
02:43 PM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000
02:43 PM: Quarantining: CAS
02:43 PM: Registry: HKEY_CURRENT_USER\software\cmapp
02:43 PM: Quarantining: Safeguard Protect
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\safeguard protect
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\safeguard protect\pcshield
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\safeguard protect\pcshield||03a4f8d7a3d23da262
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\safeguard protect\pcshield||0x4679538955478456
02:43 PM: Registry: HKEY_LOCAL_MACHINE\software\safeguard protect\pcshield||ced86005d8cd6a4c2898
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0x5f3xd235dvse43x
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield||03a4f8d7a3d23da262
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield||0x4679538955478456
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield||ced86005d8cd6a4c2898
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield||0x6e3a67c6343923acdd
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0x5f3xd235dvse43x||e7db7208a3de6140
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e1d86102e9d47c483f89714a930b
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e7c16314e9d46f033f9232
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e0d67c1affdc695e729e3044
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e3dd661df9db7c4439933b4f95080da7f097701ee0
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e3c9631de8936d4231
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||f7db7a15a3de6140
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e3d4720be2d3204e3390
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e1d07d16f8d16f5f729e3044
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||efd86712e5936d4231
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e3d5675feed263
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e3d57f01e2ce7a482e8e714a930b
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e7db7208a3de6140
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e3cb675feed263
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||eed66414ffd0774f3591335ad20506af
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||e0dc6005efc877033f9232
02:43 PM: Registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7||f0dc661fe4d260033f9232
02:43 PM: File: c:\windows\system32\sfg_3546.dll
02:43 PM: File: c:\windows\system32\sfg.dll
02:43 PM: Quarantining: YieldManager Cookie
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@yieldmanager[2].txt
02:43 PM: Cookie: c:\documents and settings\jerry carollo\cookies\jerry carollo@ad.yieldmanager[1].txt
02:43 PM: Cleaning Traces
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck\curver
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck\clsid
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck.1\clsid
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck.1
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\uwfxpcheck.uwfxpcheck
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\helpdir
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\flags
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0\win32
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\msevents.msevents\curver
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\msevents.msevents\clsid
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\msevents.msevents.1\clsid
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\msevents.msevents.1
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\msevents.msevents
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\versionindependentprogid
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\typelib
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\programmable
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\progid
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32|| (threadingmodel)
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories
02:43 PM: Removing registry: HKEY_CLASSES_ROOT\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\safeguard protect\pcshield|| (ced86005d8cd6a4c2898)
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\safeguard protect\pcshield|| (0x4679538955478456)
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\safeguard protect\pcshield|| (03a4f8d7a3d23da262)
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\safeguard protect\pcshield
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\safeguard protect
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck\curver
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck\clsid
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck.1\clsid
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck.1
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\uwfxpcheck.uwfxpcheck
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\helpdir
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\flags
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0\win32
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0\0
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}\1.0
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{c2ae9e5b-3ebd-49fd-9ab4-36c1a1e4af39}
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents\curver
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents\clsid
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents.1\clsid
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents.1
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\msevents.msevents
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\versionindependentprogid
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\typelib
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\programmable
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\progid
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32|| (threadingmodel)
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\inprocserver32
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}\implemented categories
02:43 PM: Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{6e53e70c-9089-494a-9f51-abc499636dae}
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (f7db7a15a3de6140)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (f0dc661fe4d260033f9232)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (efd86712e5936d4231)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (eed66414ffd0774f3591335ad20506af)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e7db7208a3de6140)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e7c16314e9d46f033f9232)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e3dd661df9db7c4439933b4f95080da7f097701ee0)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e3d57f01e2ce7a482e8e714a930b)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e3d5675feed263)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e3d4720be2d3204e3390)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e3cb675feed263)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e3c9631de8936d4231)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e1d86102e9d47c483f89714a930b)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e1d07d16f8d16f5f729e3044)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e0dc6005efc877033f9232)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7|| (e0d67c1affdc695e729e3044)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0xa7c5f35b890d23c7
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0x5f3xd235dvse43x|| (e7db7208a3de6140)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield\0x5f3xd235dvse43x
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield|| (ced86005d8cd6a4c2898)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield|| (0x6e3a67c6343923acdd)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield|| (0x4679538955478456)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield|| (03a4f8d7a3d23da262)
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect\pcshield
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\safeguard protect
02:43 PM: Removing registry: HKEY_CURRENT_USER\software\cmapp
02:43 PM: Removing file: c:\windows\system32\sfg.dll
02:43 PM: Removing file: c:\windows\system32\sfg_3546.dll
02:43 PM: Removing file: c:\program files\common files\winsoftware\prcheck.dll
02:43 PM: Removing file: c:\program files\common files\winsoftware\fcrxml.dll
02:43 PM: Removing file: c:\windows\system32\drivers\dfdr.sys
02:43 PM: Removing file: c:\documents and settings\jerry carollo\local settings\temp\winfixer2005setup.exe
02:43 PM: Removing file: c:\documents and settings\jerry carollo\local settings\temp\ni.uwfx5_0001_n56m0311\setup.exe
02:43 PM: Folder: c:\program files\common files\winsoftware
02:43 PM: Removal process completed. Elapsed time 00:00:22
61 items (199 traces) quarantined.
Logfile of HijackThis v1.99.1
Scan saved at 2:55:08 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe
C:\Program Files\Ares\Ares.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\awtqq.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...74/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1186b9534b8c60...ip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.com/kdx/Client403/kdx.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Thank you for answering back so promptly. Sincerly, Jerry

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 AM

Posted 07 December 2005 - 12:21 PM

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\awtqq.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\qqtwa.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: comments (such as these) may be inserted on individual
    O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
    O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\awtqq.dll
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1186b9534b8c60...ip/RdxIE601.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
    O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

David

#5 Darkstar765

Darkstar765
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 08 December 2005 - 01:12 AM

Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Guest\Local Settings\Temp\~761236.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\WinTA[1].cab[WToolsA.exe]
Adware:Adware/QuickSearch Not disinfected C:\Documents and Settings\Jerry Carollo\Desktop\HijackThis\backups\backup-20051207-182526-535.dll
Adware:Adware/QuickSearch Not disinfected C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
Adware:Adware/Startpage.ACY Not disinfected C:\Program Files\Support.com\adelphia\scripts\IEconfig.vbs
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biH.inf
Adware:adware/ncase Not disinfected C:\WINDOWS\msbbau.dat
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall5_64.exe
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall6_38.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\geedd.dll
Adware:adware/talkstocks Not disinfected C:\WINDOWS\SYSTEM32\mstbl.ocx

Logfile of HijackThis v1.99.1
Scan saved at 10:08:31 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Jerry Carollo\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\awtqq.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...74/mcinsctl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.com/kdx/Client403/kdx.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\awtqq.dll

The second filepath entered was C:\WINDOWS\system32\odnuv

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 764 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 280 'explorer.exe'
Killing PID 280 'explorer.exe'


Killing PID 840 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\awtqq.dll.
C:\WINDOWS\system32\odnuv Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 AM

Posted 08 December 2005 - 12:14 PM

Sprry, you will need to do it again - you entered the second filepath as the example :thumbsup: - please try again!

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....



  • At this point press enter one time.


  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:



  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\awtqq.dll
  • Press Enter to continue with the fix.


  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\qqtwa.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
    O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\awtqq.dll
    O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
Please post a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

David

Edited by D-Trojanator, 12 December 2005 - 06:55 PM.


#7 Darkstar765

Darkstar765
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 10 December 2005 - 09:32 PM

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\awtqq.dll

The second filepath entered was C:\WINDOWS\system32\qqtwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 764 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 324 'explorer.exe'
Killing PID 324 'explorer.exe'
Killing PID 324 'explorer.exe'


Killing PID 840 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\system32\awtqq.dll.
C:\WINDOWS\system32\qqtwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:28:47 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe
C:\Program Files\Ares\Ares.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jerry Carollo\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\awtqq.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...74/mcinsctl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.com/kdx/Client403/kdx.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

I'm sorry but i dont think i got rid of it again. Im not totally sure what im doing wrong. Thank You

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 AM

Posted 11 December 2005 - 09:16 AM

Please go here:
http://securityresponse.symantec.com/avcen...moval.tool.html

and download and run the free removal tool.

Please post a new HJT log at the end

David :thumbsup:

#9 Darkstar765

Darkstar765
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 11 December 2005 - 01:25 PM

Symantec Trojan.Vundo Removal Tool 1.5.0
The process "iexplore.exe" might be affected by the threat. It has been suspended.
The process "explorer.exe" contained a viral thread (00000450). The thread was terminated.
The process "explorer.exe" contained a viral thread (0000045C). The thread was terminated.
The process "iexplore.exe" might be affected by the threat. It has been terminated.

C:\a3fcd884e234aea2abc57e75\sp2: (not scanned)
C:\Documents and Settings\Jerry Carollo\My Documents\My Music\1\The Hives - Tyrannosaurus Hives-2004-Punk-Rock\The Hives - Tyrannosaurus Hives (2004) Pop [www.torrentazos.com]By FEFE2003\www.torrentazos.com!! La mejor web de .torrents musicales! The best web of .torrents music! ).url (WARNING: not scanned, path to long)
registry: HKEY_CLASSES_ROOT\MSEvents.MSEvents (key deleted)
registry: HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 (key deleted)


Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 120601
The number of deleted files: 0
The number of viral processes terminated: 1
The number of viral processes suspended: 1
The number of viral threads terminated: 2
The number of registry entries fixed: 2


Logfile of HijackThis v1.99.1
Scan saved at 10:21:57 AM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe
C:\Program Files\Ares\Ares.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jerry Carollo\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Popup Killer - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\PROGRA~1\Webroot\POP-UP~1\VAPopupKiller.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\awtqq.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...74/mcinsctl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.com/kdx/Client403/kdx.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: awtqq - C:\WINDOWS\system32\awtqq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Thank You :thumbsup:

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 AM

Posted 12 December 2005 - 01:58 PM

Download the following file:

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

David

#11 Darkstar765

Darkstar765
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 12 December 2005 - 05:11 PM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Jerry Carollo\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FC4F-6D45

Directory of C:\WINDOWS\System32

12/12/2005 01:18 PM 378,516 qqtwa.ini2
12/12/2005 12:51 PM <DIR> DLLCACHE
12/12/2005 12:51 PM 378,386 qqtwa.tmp
12/12/2005 12:00 AM 378,716 qqtwa.ini
12/11/2005 07:57 PM 378,303 qqtwa.bak2
12/08/2005 07:56 PM 344,840 qqtwa.bak1
11/17/2005 05:13 PM 27,661 geedd.dll
08/20/2004 01:06 PM 56 3621D010C7.sys
12/09/2003 08:31 AM <DIR> Microsoft
7 File(s) 1,886,478 bytes
2 Dir(s) 55,406,833,664 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is FC4F-6D45

Directory of C:\WINDOWS\System32

12/12/2005 01:18 PM 378,516 qqtwa.ini2
12/12/2005 12:51 PM <DIR> DLLCACHE
12/12/2005 12:51 PM 378,386 qqtwa.tmp
12/12/2005 12:00 AM 378,716 qqtwa.ini
12/11/2005 07:57 PM 378,303 qqtwa.bak2
12/08/2005 07:56 PM 344,840 qqtwa.bak1
11/17/2005 05:13 PM 27,661 geedd.dll
08/20/2004 01:06 PM 56 3621D010C7.sys
09/03/2002 11:33 AM 488 logonui.exe.manifest
09/03/2002 11:33 AM 488 WindowsLogon.manifest
09/03/2002 11:33 AM 749 cdplayer.exe.manifest
09/03/2002 11:33 AM 749 sapi.cpl.manifest
09/03/2002 11:33 AM 749 ncpa.cpl.manifest
09/03/2002 11:33 AM 749 wuaucpl.cpl.manifest
09/03/2002 11:33 AM 749 nwc.cpl.manifest
14 File(s) 1,891,199 bytes
1 Dir(s) 55,406,829,568 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is FC4F-6D45

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is FC4F-6D45

Directory of C:\WINDOWS\System32

12/12/2005 12:51 PM 378,386 qqtwa.tmp
12/05/2005 10:29 PM 143 mcrh.tmp
08/25/2005 10:45 AM 2,950 tmpmpt1.tmp
01/28/2005 12:44 PM 5,525,504 setb7.tmp
08/29/2002 06:14 AM 62,976 SET161.tmp
08/29/2002 06:14 AM 91,136 SET15D.tmp
08/29/2002 06:14 AM 98,816 SET15B.tmp
08/29/2002 03:00 AM 2,577 CONFIG.TMP
8 File(s) 6,162,488 bytes
0 Dir(s) 55,406,829,568 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{143E8811-9454-45CF-8648-986021C095EB}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqq]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\awtqq.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: (AsPack2k)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack2000
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\MRT.exe: aspACK
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 AM

Posted 12 December 2005 - 05:49 PM

Hi again! :thumbsup:

http://www10.brinkster.com/expl0iter/freeatlast/NTrights.zip

Please download the .zip file from above and extract the file onto somewhere convenient like the desktop.

Double click on the Debug.bat file to run it, follow any prompts it asks.

Please reboot you computer and run the Debug.bat file again.

It will create a log.

Please post that log here.

Thanks

David

Edited by D-Trojanator, 12 December 2005 - 06:27 PM.


#13 Darkstar765

Darkstar765
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 12 December 2005 - 06:14 PM

For some reason i couldnt get to the link it kept coming up w/ this:
You are not authorized to view this page
You might not have permission to view this directory or page using the credentials you supplied.

--------------------------------------------------------------------------------

If you believe you should be able to view this directory or page, please try to contact the Web site by using any e-mail address or phone number that may be listed on the www10.brinkster.com home page.

You can click Search to look for information on the Internet.




HTTP Error 403 - Forbidden
Internet Explorer

#14 Darkstar765

Darkstar765
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 12 December 2005 - 06:52 PM

I got it!!!!!!!!!!


Granting SeDebugPrivilege to Administrators ... successful

Mon Dec 12 15:43:41 2005 -- done

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 AM

Posted 12 December 2005 - 06:57 PM

Well done

Please reboot you computer and run the Debug.bat file again.

It will create a log.

Please post that log here.

Thanks

David

Edited by D-Trojanator, 12 December 2005 - 06:58 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users