Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups, Slow Computer, Bg Image Gone


  • This topic is locked This topic is locked
20 replies to this topic

#1 xtinakay

xtinakay

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 31 May 2006 - 12:24 AM

in all honesty i have no clue what happened to my computer. it's just that all of a sudden my windows doesn't start right, i am getting non-stop pop up ads, the background of my computer suddenly disappeared, and a whole slew of other problems. I ran the lavasoft program and the spybot detect&removal in regular/safe-mode but it doesn't seem to have stopped it completely. this happened once before and i refortmatted my computer but i don't want to go through that again because there are drivers that i need in here. please help. this is my HJT log:
=================================

Logfile of HijackThis v1.99.1
Scan saved at 1:08:20 AM, on 5/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\inet20026\winlogon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\kernels8.exe
C:\WINDOWS\System32\kerneld16.exe
C:\WINDOWS\System32\6792247d.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\WINDOWS\System32\dxvwhggi.exe
C:\WINDOWS\smss.exe
C:\Program Files\nkkk.exe
C:\WINDOWS\System32\89278229.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\per.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\winstall.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\System32\dlh9jkdq1.exe
C:\WINDOWS\System32\dlh9jkdq2.exe
C:\WINDOWS\inet20026\mm5.exe
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\explorer.exe
C:\WINDOWS\System32\dxvworll.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\1052.exe
C:\WINDOWS\System32\vxgamet1.exe
C:\WINDOWS\System32\vxgamet4.exe
C:\WINDOWS\System32\vxgamet4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\inet20026\select.exe
C:\WINDOWS\inet20026\socks.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\49FA.tmp
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\Documents and Settings\Christina\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://spywaresoftstop.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://spywaresoftstop.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://spywaresoftstop.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\winlogon.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tyczo.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: ib.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib14.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20026\3.03.00.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {78364D99-A240-4dff-B11A-67E448373045} - C:\WINDOWS\System32\ipv4mons.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tyczo.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tyczo.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [imekrmig] E:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKLM\..\Run: [vbcfgjrA] C:\WINDOWS\vbcfgjrA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinpqez.exe GID003
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\kerneld16.exe
O4 - HKLM\..\Run: [6792247d.exe] C:\WINDOWS\System32\6792247d.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [6792247d.exe] C:\Documents and Settings\Christina\Local Settings\Application Data\6792247d.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\qvxgamet2.exe3072.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [89278229.exe] C:\Documents and Settings\Christina\Local Settings\Application Data\89278229.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinpqez.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\KillAndClean\KillAndClean.exe (HKCU)
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.snipernet.us
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.snipernet.us (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B0A02AAB-94AB-4190-92E2-429B5AC75F50} (SayClub Tachy Download Control) - http://dl.sayclub.com/tachy/dltachy.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D62C6763-3AF7-481A-B31D-02BB6BE1D2EE} (ToonsXYahooKorea Control) - http://comicw2.yahoo.co.kr/download/ToonsXYahooKorea.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{53430CBE-0D2A-49AC-87D9-E6D4293DCCFD}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF0F83A9-B807-4D81-A0CD-B09C947C2196}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\explorer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

================================

thank you so much if you can help me.

Edited by xtinakay, 31 May 2006 - 12:26 AM.


BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:15 PM

Posted 31 May 2006 - 01:50 PM

Welcome aboard... :thumbsup:

You've got really infected PC there.

==

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Please get the free version of AVG.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

==

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Please run a scan with Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
  • Close Ewido Anti-Malware.
==

Now, reboot back into Normal mode..

Please download SmitfraudFix © S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply with the Report.txt file from Ewido aswell as a fresh HijackThis log by using AddReply. :flowers:

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Hi there, stranger!

#3 xtinakay

xtinakay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 01 June 2006 - 12:17 AM

i can't believe my pc is so infected! there was like 100's of infections. how in the world did that happen? its not like my siblings and i go on bad sites or anything. . . . @__@
and i know this sounds shallow, but in all honesty if i could marry you i would. your at the top of my 'favorite people' list right now. . .

my smitfraud file:
========================================================

SmitFraudFix v2.53

Scan done at 1:08:16.09, Thu 06/01/2006
Run from C:\Documents and Settings\Christina\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\

C:\exit FOUND !
C:\secure32.html FOUND !
C:\uniq FOUND !

C:\WINDOWS

C:\WINDOWS\sysvx_.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\comdlg64.dll FOUND !
C:\WINDOWS\system32\dlh9jkdq?.exe FOUND !
C:\WINDOWS\system32\qvxgamet?.exe FOUND !
C:\WINDOWS\system32\sysvx.exe FOUND !
C:\WINDOWS\system32\taskdir.exe FOUND !
C:\WINDOWS\system32\taskdir~.exe FOUND !
C:\WINDOWS\system32\vxgame?.exe FOUND !
C:\WINDOWS\system32\zlbw.dll FOUND !

C:\Documents and Settings\Christina\Application Data

C:\Documents and Settings\Christina\Application Data\Install.dat FOUND !

Start Menu


C:\WINDOWS\System32\vxsite


Desktop

C:\DOCUME~1\CHRIST~1\Desktop\asfds FOUND !
C:\DOCUME~1\CHRIST~1\Desktop\sdfdsf FOUND !

C:\Program Files

C:\Program Files\secure32.html FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Windows NT\\qupegif.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"

[HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\System32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\System32\mscdaux.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"


Scanning wininet.dll infection


End
========================================================
my ewido.txt thing

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:00:16 AM, 6/1/2006
+ Report-Checksum: A9546F64

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69} -> Logger.Sters : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34} -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Replace.HBO.1 -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ToolBand.ToolBandObj.1 -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69} -> Logger.Sters : Cleaned with backup
HKU\S-1-5-21-1078081533-1614895754-682003330-1003\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
[708] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\explorer.exe -> Trojan.Spambot : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.329:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.394:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.395:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.396:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.397:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.398:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.399:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.400:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.401:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.402:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.403:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.404:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.405:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.406:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.427:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.428:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.478:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.479:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.480:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.481:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.482:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.483:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.484:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.619:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.851:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.852:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.866:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.867:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.873:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.874:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.875:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.876:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.877:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.878:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.883:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.884:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.887:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.888:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.889:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.890:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.908:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.909:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.910:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.911:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.921:C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\1.dlb -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\3B.tmp -> Backdoor.Small : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\3E.tmp -> Backdoor.Small : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\41.tmp -> Backdoor.Small : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\42.tmp -> Proxy.Agent.hs : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\43.tmp -> Proxy.Agent.hs : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\44.tmp -> Downloader.Agent.afl : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\45.tmp -> Downloader.Agent.afl : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\46.tmp -> Proxy.Agent.hs : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\explorer.exe -> Trojan.Spambot : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\i187.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\NN_18B.tmp -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\pol93D5.tmp -> Proxy.Xorpix.v : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\pol9957.tmp -> Proxy.Xorpix.v : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\pol9C02.tmp -> Proxy.Xorpix.v : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temp\qvxt2.game -> Proxy.Agent.hs : Cleaned with backup
C:\Documents and Settings\Christina\Local Settings\Temporary Internet Files\Content.IE5\GQXYJ9PB\xxx[1].jpg -> Downloader.Agent.tc : Cleaned with backup
C:\lo612535047.exe -> Trojan.Small : Cleaned with backup
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned with backup
C:\Program Files\SpySheriff -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base.avd -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base001.avd -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base002.avd -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur001.dll -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Adware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Adware.SpySheriff : Cleaned with backup
C:\qdjfej.exe -> Trojan.Sinowal.v : Cleaned with backup
C:\t.inx -> Trojan.Small : Cleaned with backup
C:\WINDOWS\inet20026\3.03.00.dll -> Adware.Ihbo : Cleaned with backup
C:\WINDOWS\inet20026\select.exe -> Proxy.Small.em : Cleaned with backup
C:\WINDOWS\inet20026\select.exe.bak -> Proxy.Small.em : Cleaned with backup
C:\WINDOWS\system32\dlh9jkdq1.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\dmdri.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\dmghy.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\gp6sl3j71.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\howiper.exe -> Trojan.Hoster : Cleaned with backup
C:\WINDOWS\system32\ib14.dll -> Trojan.Bancos.237 : Cleaned with backup
C:\WINDOWS\system32\kerneld16.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\kernels8.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\podsregp.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\pppcgm.exe -> Adware.Msnagent : Cleaned with backup
C:\WINDOWS\system32\qvxgamet2.exe -> Proxy.Agent.hs : Cleaned with backup
C:\WINDOWS\system32\rwinpqez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINDOWS\system32\tyczo.dll -> Adware.SBSoft : Cleaned with backup
C:\WINDOWS\system32\vxgame6.exe3072.exe -> Downloader.Tiny.cp : Cleaned with backup
C:\WINDOWS\system32\winbrume.dll -> Adware.BHO : Cleaned with backup


::Report End

========================================================

my hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 1:12:09 AM, on 6/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\6792247d.exe
C:\WINDOWS\smss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ieredir.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christina\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://spywaresoftstop.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://spywaresoftstop.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://spywaresoftstop.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://spywaresoftstop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - {15613241-5DDD-3435-39D6-FCBC548D741A} - prgsys0984.dll (file missing)
R3 - URLSearchHook: (no name) - {15613241-5DDD-3435-39D6-FCBC548D741A} - prgsys0984.dll (file missing)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\winlogon.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tyczo.dll (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20026\3.03.00.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {78364D99-A240-4dff-B11A-67E448373045} - C:\WINDOWS\System32\ipv4mons.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tyczo.dll (file missing)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tyczo.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [imekrmig] E:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [defender] C:\\defender24.exe
O4 - HKLM\..\Run: [vbcfgjrA] C:\WINDOWS\vbcfgjrA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [6792247d.exe] C:\WINDOWS\System32\6792247d.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [6792247d.exe] C:\Documents and Settings\Christina\Local Settings\Application Data\6792247d.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [RtlFindVal] SysSupport.exe
O4 - HKCU\..\Run: [Kargo] ParisM.exe
O4 - HKCU\..\Run: [DTOURS] gabber.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinpqez.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.snipernet.us
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.snipernet.us (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B0A02AAB-94AB-4190-92E2-429B5AC75F50} (SayClub Tachy Download Control) - http://dl.sayclub.com/tachy/dltachy.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D62C6763-3AF7-481A-B31D-02BB6BE1D2EE} (ToonsXYahooKorea Control) - http://comicw2.yahoo.co.kr/download/ToonsXYahooKorea.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{53430CBE-0D2A-49AC-87D9-E6D4293DCCFD}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: prwsks - prwsks.dll (file missing)
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


========================================================

thank you SO much. if i ever get a credit card this site will be the first site i donate to.

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:15 PM

Posted 01 June 2006 - 12:49 AM

Next..

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do its job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
==

Next, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. :thumbsup:
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
Hi there, stranger!

#5 xtinakay

xtinakay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 01 June 2006 - 06:33 PM

SmitFraudFix v2.53

Scan done at 19:19:13.98, Thu 06/01/2006
Run from C:\Documents and Settings\Christina\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"

[HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\System32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\System32\mscdaux.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"


Killing process


Deleting infected files

C:\exit Deleted
C:\secure32.html Deleted
C:\uniq Deleted
C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\qvxgamet?.exe Deleted
C:\WINDOWS\system32\taskdir.exe Deleted
C:\WINDOWS\system32\taskdir~.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted
C:\Documents and Settings\Christina\Application Data\Install.dat Deleted
C:\DOCUME~1\CHRIST~1\Desktop\asfds Deleted
C:\DOCUME~1\CHRIST~1\Desktop\sdfdsf Deleted
C:\Program Files\secure32.html Deleted

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="OLE Automation Module"

[HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\System32\mscdaux.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINDOWS\System32\mscdaux.dll"



End



utterly amazing. . . thank you so much for your help

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:15 PM

Posted 02 June 2006 - 04:08 AM

Go ahead and delete SmitFraudFix.

Can you please post a fresh HijackThis log, thank you. :thumbsup:

You've still got incredible amount of rubbish there.
Hi there, stranger!

#7 xtinakay

xtinakay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 02 June 2006 - 03:48 PM

man what the freak happened to my pc?!

=====================================

Logfile of HijackThis v1.99.1
Scan saved at 4:45:01 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\6792247d.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\ieredir.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Christina\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R3 - URLSearchHook: (no name) - {15613241-5DDD-3435-39D6-FCBC548D741A} - prgsys0984.dll (file missing)
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tyczo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {78364D99-A240-4dff-B11A-67E448373045} - C:\WINDOWS\System32\ipv4mons.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\tyczo.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [imekrmig] E:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vbcfgjrA] C:\WINDOWS\vbcfgjrA.exe
O4 - HKLM\..\Run: [6792247d.exe] C:\WINDOWS\System32\6792247d.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwrhbq.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [89278229.exe] C:\WINDOWS\System32\89278229.exe
O4 - HKLM\..\Run: [win32hp] C:\WINDOWS\System32\win32hlp.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [ABCXYZ] SetupExeDll.exe
O4 - HKLM\..\Run: [br0ken] BoundRec.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [6792247d.exe] C:\Documents and Settings\Christina\Local Settings\Application Data\6792247d.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [RtlFindVal] SysSupport.exe
O4 - HKCU\..\Run: [Kargo] ParisM.exe
O4 - HKCU\..\Run: [DTOURS] gabber.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.snipernet.us
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.snipernet.us (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B0A02AAB-94AB-4190-92E2-429B5AC75F50} (SayClub Tachy Download Control) - http://dl.sayclub.com/tachy/dltachy.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D62C6763-3AF7-481A-B31D-02BB6BE1D2EE} (ToonsXYahooKorea Control) - http://comicw2.yahoo.co.kr/download/ToonsXYahooKorea.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{53430CBE-0D2A-49AC-87D9-E6D4293DCCFD}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: prwsks - prwsks.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:15 PM

Posted 03 June 2006 - 02:02 AM

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download FixWareout from one of these sites:Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads, do the following (please post the text that will open, report.txt, within your next reply).

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply along with the FixWareOut results. :thumbsup:

Hi there, stranger!

#9 xtinakay

xtinakay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 04 June 2006 - 04:34 PM

================================================

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\yhgmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool


Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal

==========================================================

********
3:37 PM: | Start of Session, Sunday, June 04, 2006 |
3:37 PM: Spy Sweeper started
3:37 PM: Sweep initiated using definitions version 691
3:37 PM: Found Trojan Horse: trojan-backdoor-keylog-sters
3:37 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft windows session manager subsystem (ID = 1174927)
3:37 PM: smss.exe (ID = 1174927)
3:37 PM: Found Trojan Horse: trojan-phisher-rebery
3:37 PM: HKLM\software\microsoft\windows\currentversion\run\ || ie redir (ID = 1326393)
3:37 PM: ieredir.exe (ID = 1326393)
3:37 PM: Starting Memory Sweep
3:41 PM: Memory Sweep Complete, Elapsed Time: 00:04:01
3:41 PM: Starting Registry Sweep
3:41 PM: Found Trojan Horse: childoleauto
3:41 PM: HKCR\clsid\{3f143c3a-1457-6cca-03a7-7aa23b61e40f}\ (3 subtraces) (ID = 105493)
3:41 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {3f143c3a-1457-6cca-03a7-7aa23b61e40f} (ID = 105495)
3:41 PM: Found Adware: zenosearchassistant
3:41 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\enhanced ads by zeno\ (2 subtraces) (ID = 147931)
3:41 PM: HKCR\typelib\{14a5f3e7-b235-4d98-9264-5c67d2657bc4}\ (9 subtraces) (ID = 891252)
3:41 PM: HKLM\software\classes\typelib\{14a5f3e7-b235-4d98-9264-5c67d2657bc4}\ (9 subtraces) (ID = 891274)
3:41 PM: Found Adware: enbrowser
3:41 PM: HKLM\software\system\sysold\ (ID = 926808)
3:41 PM: Found Adware: command
3:41 PM: HKLM\system\currentcontrolset\services\cmdservice\ (5 subtraces) (ID = 958670)
3:41 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
3:41 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
3:41 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft windows logon process (ID = 1125378)
3:41 PM: HKLM\software\microsoft\windows\currentversion\run\ || microsoft windows session manager subsystem (ID = 1138287)
3:41 PM: Found Trojan Horse: trojan-phisher-metafisher
3:41 PM: HKLM\software\microsoft\windows\currentversion\control panel\load\ (14 subtraces) (ID = 1150937)
3:41 PM: Found Trojan Horse: trojan-backdoor-5sec
3:41 PM: HKLM\software\microsoft\windows\currentversion\run\ || spoolsvv (ID = 1187919)
3:41 PM: HKCR\ib.cbrowserhelper\ (3 subtraces) (ID = 1199329)
3:41 PM: HKLM\software\classes\ib.cbrowserhelper\ (3 subtraces) (ID = 1199331)
3:41 PM: HKLM\software\microsoft\windows\currentversion\run\ || ie redir (ID = 1248863)
3:41 PM: Found Trojan Horse: trojan-phisher-bzub
3:41 PM: HKCR\appid\{78364d99-a240-4dff-b11a-67e448373045}\ (ID = 1373503)
3:41 PM: HKCR\clsid\{78364d99-a240-4dff-b11a-67e448373045}\ (3 subtraces) (ID = 1373504)
3:41 PM: HKLM\software\classes\appid\{78364d99-a240-4dff-b11a-67e448373045}\ (ID = 1373508)
3:41 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{78364d99-a240-4dff-b11a-67e448373045}\ (ID = 1373513)
3:41 PM: Found Trojan Horse: trojan-backdoor-us15info
3:41 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\ || Shell (ID = 1375272)
3:41 PM: Found Trojan Horse: trojan-downloader-forlink.biz
3:41 PM: HKLM\software\microsoft\windows\currentversion\run\ || win32hp (ID = 1376778)
3:41 PM: Found Adware: coolwebsearch (cws)
3:41 PM: HKU\S-1-5-21-1078081533-1614895754-682003330-1003\software\microsoft\internet explorer\sites\ (5 subtraces) (ID = 109822)
3:41 PM: Found Trojan Horse: trojan-downloader-alureonb
3:41 PM: HKU\S-1-5-21-1078081533-1614895754-682003330-1003\software\microsoft\windows\currentversion\run\ || dtours (ID = 144311)
3:41 PM: Found Trojan Horse: trojan-downloader-wareout
3:41 PM: HKU\S-1-5-21-1078081533-1614895754-682003330-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {bf69df00-2734-477f-8257-27cd04f88779} (ID = 144839)
3:41 PM: HKU\S-1-5-21-1078081533-1614895754-682003330-1003\software\microsoft\windows\currentversion\run\ || rtlfindval (ID = 144853)
3:41 PM: HKU\S-1-5-21-1078081533-1614895754-682003330-1003\software\system\sysuid\ (1 subtraces) (ID = 731748)
3:41 PM: Registry Sweep Complete, Elapsed Time:00:00:14
3:41 PM: Starting Cookie Sweep
3:41 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:41 PM: Starting File Sweep
3:42 PM: Found Trojan Horse: trojan-downloader-terula
3:42 PM: a0030660.dll (ID = 284165)
3:42 PM: Found Adware: dollarrevenue
3:42 PM: a0028584.exe (ID = 302224)
3:42 PM: a0028581.exe (ID = 300281)
3:42 PM: a0032785.dll (ID = 288202)
3:43 PM: Found Adware: targetsaver
3:43 PM: a0028607.dll (ID = 195129)
3:44 PM: a0032779.exe (ID = 293)
3:44 PM: Found Trojan Horse: trojan-downloader-buhartes
3:44 PM: a0032769.dll (ID = 289777)
3:44 PM: Found Trojan Horse: trojan-downloader-ruin
3:44 PM: a0032772.exe (ID = 147)
3:44 PM: Warning: Failed to open file "c:\system volume information\_restore{9a2f2500-d043-476d-87f0-0350428333d7}\rp288\a0029677.exe". Access is denied
3:45 PM: a0030682.exe (ID = 147)
3:45 PM: a0028585.exe (ID = 302226)
3:45 PM: a0032679.exe (ID = 147)
3:45 PM: a0032755.exe (ID = 147)
3:45 PM: Warning: Failed to open file "c:\system volume information\_restore{9a2f2500-d043-476d-87f0-0350428333d7}\rp289\a0029689.exe". Access is denied
3:46 PM: Warning: Failed to open file "c:\system volume information\_restore{9a2f2500-d043-476d-87f0-0350428333d7}\rp289\a0032689.exe". Access is denied
3:46 PM: a0032773.exe (ID = 147)
3:46 PM: a0028595.exe (ID = 244271)
3:49 PM: Found Adware: surfsidekick
3:49 PM: a0028601.exe (ID = 297346)
3:55 PM: a0028642.exe (ID = 293)
3:59 PM: a0028586.exe (ID = 302233)
4:00 PM: pf78.exe (ID = 244430)
4:00 PM: a0032780.exe (ID = 125496)
4:01 PM: Warning: Failed to open file "c:\system volume information\_restore{9a2f2500-d043-476d-87f0-0350428333d7}\rp289\a0030684.exe". Access is denied
4:06 PM: Found Adware: spysheriff
4:06 PM: a0032766.exe (ID = 253306)
4:07 PM: a0032764.exe (ID = 288204)
4:07 PM: a0029666.exe (ID = 301716)
4:07 PM: 3136.exe (ID = 301938)
4:07 PM: a0029668.exe (ID = 301716)
4:07 PM: 3132.exe (ID = 301938)
4:07 PM: a0030667.exe (ID = 301716)
4:07 PM: win32hlp.exe (ID = 301938)
4:07 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || win32hp (ID = 0)
4:08 PM: Found Adware: look2me
4:08 PM: a0032774.dll (ID = 159)
4:09 PM: bk.exe (ID = 296030)
4:10 PM: a0028604.dll (ID = 297348)
4:10 PM: Warning: Failed to open file "c:\system volume information\_restore{9a2f2500-d043-476d-87f0-0350428333d7}\rp288\a0029680.exe". Access is denied
4:10 PM: Found Trojan Horse: trojan-backdoor-adagoe
4:10 PM: a0029682.exe (ID = 302509)
4:10 PM: lock.exe (ID = 301716)
4:11 PM: Warning: Failed to open file "c:\system volume information\_restore{9a2f2500-d043-476d-87f0-0350428333d7}\rp289\a0032694.exe". Access is denied
4:11 PM: Warning: Failed to open file "c:\system volume information\_restore{9a2f2500-d043-476d-87f0-0350428333d7}\rp235\snapshot\". The system cannot find the path specified
4:11 PM: a0028603.dll (ID = 297347)
4:12 PM: a0028640.vbs (ID = 231442)
4:12 PM: a0032770.exe (ID = 301342)
4:13 PM: Found Trojan Horse: infected mushrooms
4:13 PM: a0033798.exe (ID = 302002)
4:13 PM: a0032696.exe (ID = 302509)
4:13 PM: a0032784.exe (ID = 302509)
4:14 PM: a0028587.exe (ID = 302225)
4:14 PM: a0028589.exe (ID = 302227)
4:15 PM: lock.exe (ID = 301716)
4:16 PM: nt68rrtc12.sys (ID = 220230)
4:17 PM: Found Adware: quicklink search toolbar
4:17 PM: a0032783.dll (ID = 73422)
4:17 PM: Warning: Failed to open file "c:\system volume information\_restore{9a2f2500-d043-476d-87f0-0350428333d7}\rp289\a0030688.exe". Access is denied
4:19 PM: a0028644.cfg (ID = 91140)
4:19 PM: zxdnt3d.cfg (ID = 91140)
4:19 PM: kz1vurhxuqc1khqdvk.vbs (ID = 185675)
4:19 PM: a0028347.cfg (ID = 91140)
4:19 PM: Found System Monitor: potentially rootkit-masked files
4:19 PM: mr-02 copy.jpg (ID = 0)
4:19 PM: mr-22 copy.jpg (ID = 0)
4:19 PM: mr-11 copy.jpg (ID = 0)
4:19 PM: mr-16 copy.jpg (ID = 0)
4:19 PM: thumbs.db (ID = 0)
4:19 PM: mr-12 copy.jpg (ID = 0)
4:19 PM: mr-15 copy.jpg (ID = 0)
4:19 PM: mr-10 copy.jpg (ID = 0)
4:19 PM: mr-26 copy.jpg (ID = 0)
4:19 PM: mr-01 copy.jpg (ID = 0)
4:19 PM: mr-04 copy.jpg (ID = 0)
4:19 PM: mr-07 copy.jpg (ID = 0)
4:19 PM: mr-28.jpg (ID = 0)
4:19 PM: mr-25 copy.jpg (ID = 0)
4:19 PM: mr-03 copy.jpg (ID = 0)
4:19 PM: mr-06 copy.jpg (ID = 0)
4:19 PM: mr-23 copy.jpg (ID = 0)
4:19 PM: mr-19 copy.jpg (ID = 0)
4:19 PM: mr-14 copy.jpg (ID = 0)
4:19 PM: mr-09 copy.jpg (ID = 0)
4:19 PM: mr-00 copy.jpg (ID = 0)
4:19 PM: mr-27.jpg (ID = 0)
4:19 PM: mr-18 copy.jpg (ID = 0)
4:19 PM: mr-24 copy.jpg (ID = 0)
4:19 PM: mr-17 copy.jpg (ID = 0)
4:19 PM: mr-08 copy.jpg (ID = 0)
4:19 PM: mr-21 copy.jpg (ID = 0)
4:19 PM: mr-05 copy.jpg (ID = 0)
4:19 PM: mr-13 copy.jpg (ID = 0)
4:19 PM: mr-20 copy.jpg (ID = 0)
4:20 PM: Warning: Unhandled Archive Type
4:27 PM: Warning: Unhandled Archive Type
4:27 PM: Warning: Unhandled Archive Type
4:27 PM: Warning: Unhandled Archive Type
4:27 PM: Warning: Unhandled Archive Type
4:27 PM: Warning: Unhandled Archive Type
4:28 PM: File Sweep Complete, Elapsed Time: 00:46:29
4:28 PM: Full Sweep has completed. Elapsed time 00:50:51
4:28 PM: Traces Found: 180
5:24 PM: Removal process initiated
5:24 PM: Quarantining All Traces: infected mushrooms
5:24 PM: Quarantining All Traces: look2me
5:24 PM: Quarantining All Traces: potentially rootkit-masked files
5:25 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
5:25 PM: mr-02 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-22 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-11 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-16 copy.jpg is in use. It will be removed on reboot.
5:25 PM: thumbs.db is in use. It will be removed on reboot.
5:25 PM: mr-12 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-15 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-10 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-26 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-01 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-04 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-07 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-28.jpg is in use. It will be removed on reboot.
5:25 PM: mr-25 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-03 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-06 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-23 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-19 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-14 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-09 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-00 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-27.jpg is in use. It will be removed on reboot.
5:25 PM: mr-18 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-24 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-17 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-08 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-21 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-05 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-13 copy.jpg is in use. It will be removed on reboot.
5:25 PM: mr-20 copy.jpg is in use. It will be removed on reboot.
5:25 PM: Quarantining All Traces: trojan-backdoor-5sec
5:25 PM: Quarantining All Traces: trojan-backdoor-keylog-sters
5:25 PM: trojan-backdoor-keylog-sters is in use. It will be removed on reboot.
5:25 PM: smss.exe is in use. It will be removed on reboot.
5:25 PM: Quarantining All Traces: trojan-backdoor-us15info
5:25 PM: Quarantining All Traces: trojan-downloader-forlink.biz
5:25 PM: Quarantining All Traces: trojan-downloader-ruin
5:25 PM: Quarantining All Traces: trojan-phisher-bzub
5:25 PM: Quarantining All Traces: childoleauto
5:25 PM: Quarantining All Traces: coolwebsearch (cws)
5:25 PM: Quarantining All Traces: dollarrevenue
5:25 PM: Quarantining All Traces: enbrowser
5:25 PM: Quarantining All Traces: quicklink search toolbar
5:25 PM: Quarantining All Traces: spysheriff
5:25 PM: Quarantining All Traces: surfsidekick
5:25 PM: Quarantining All Traces: trojan-backdoor-adagoe
5:25 PM: Quarantining All Traces: trojan-downloader-alureonb
5:25 PM: Quarantining All Traces: trojan-downloader-buhartes
5:25 PM: Quarantining All Traces: trojan-downloader-terula
5:25 PM: Quarantining All Traces: trojan-downloader-wareout
5:25 PM: Quarantining All Traces: trojan-phisher-metafisher
5:25 PM: Quarantining All Traces: trojan-phisher-rebery
5:25 PM: trojan-phisher-rebery is in use. It will be removed on reboot.
5:25 PM: ieredir.exe is in use. It will be removed on reboot.
5:25 PM: Quarantining All Traces: command
5:25 PM: Quarantining All Traces: targetsaver
5:25 PM: Quarantining All Traces: zenosearchassistant
5:26 PM: Preparing to restart your computer. Please wait...
5:26 PM: Removal process completed. Elapsed time 00:01:57
********
3:34 PM: | Start of Session, Sunday, June 04, 2006 |
3:34 PM: Spy Sweeper started
3:34 PM: Messenger service has been disabled.
3:35 PM: Your spyware definitions have been updated.
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:35 PM: The Spy Communication shield has blocked access to: panix.com
3:37 PM: | End of Session, Sunday, June 04, 2006 |

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:15 PM

Posted 04 June 2006 - 05:22 PM

Now post a fresh HijackThis log, please :thumbsup:
Hi there, stranger!

#11 xtinakay

xtinakay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 05 June 2006 - 01:42 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:39:49 PM, on 6/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\6792247d.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Christina\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R3 - URLSearchHook: (no name) - {15613241-5DDD-3435-39D6-FCBC548D741A} - prgsys0984.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [imekrmig] E:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vbcfgjrA] C:\WINDOWS\vbcfgjrA.exe
O4 - HKLM\..\Run: [6792247d.exe] C:\WINDOWS\System32\6792247d.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwrhbq.exe
O4 - HKLM\..\Run: [89278229.exe] C:\WINDOWS\System32\89278229.exe
O4 - HKLM\..\Run: [ABCXYZ] SetupExeDll.exe
O4 - HKLM\..\Run: [br0ken] BoundRec.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [6792247d.exe] C:\Documents and Settings\Christina\Local Settings\Application Data\6792247d.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Kargo] ParisM.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.snipernet.us
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.snipernet.us (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B0A02AAB-94AB-4190-92E2-429B5AC75F50} (SayClub Tachy Download Control) - http://dl.sayclub.com/tachy/dltachy.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D62C6763-3AF7-481A-B31D-02BB6BE1D2EE} (ToonsXYahooKorea Control) - http://comicw2.yahoo.co.kr/download/ToonsXYahooKorea.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{53430CBE-0D2A-49AC-87D9-E6D4293DCCFD}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: prwsks - prwsks.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:15 PM

Posted 05 June 2006 - 02:19 PM

Lets continue.. :thumbsup:

Go ahead and uninstall SpySweeper.

==

RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

==

Please download cureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

==

Finally:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :flowers:

Hi there, stranger!

#13 xtinakay

xtinakay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 06 June 2006 - 09:42 PM

Incident Status Location

Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected c:\windows\system32\6792247d.exe
Adware:adware/adsmart Not disinfected c:\windows\system32\vx.tll
Adware:adware/vog Not disinfected c:\program files\internet explorer\winbrume.dat
Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Adware:adware/cws.yexe Not disinfected c:\windows\inet20026
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.atwola.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.peel.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.target.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.www48.seeq.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.xiti.com/]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Christina\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-38d2210d-2ec9b180.zip[A.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Christina\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-38d2210d-2ec9b180.zip[BlackBox.class]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Christina\Cookies\christina@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christina\Cookies\christina@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Christina\Cookies\christina@doubleclick[2].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Christina\DoctorWeb\Quarantine\A0028349.dll
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\Christina\Local Settings\Application Data\6792247d.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:15 PM

Posted 07 June 2006 - 03:53 AM

Looks like your log got cut off (atleast I think so - lets check it afterwards). Although, before running it again, lets clean up it's findings from above log.

First, uninstall the following application if present:

SystemDoctor2006

Delete the following files/folders if present:

c:\windows\system32\6792247d.exe
c:\windows\system32\vx.tll
c:\program files\internet explorer\winbrume.dat
c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
c:\windows\inet20026


==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

Run another Panda scan and post the results along with a fresh HijackThis log. :thumbsup:
Hi there, stranger!

#15 xtinakay

xtinakay
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 07 June 2006 - 09:35 PM

Incident Status Location

Adware:adware/vog Not disinfected c:\program files\internet explorer\winbrume.dat
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[servedby.advertising.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.atwola.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.peel.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.target.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.www48.seeq.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Christina\Application Data\Mozilla\Firefox\Profiles\de73pink.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Christina\Cookies\christina@atdmt[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Christina\DoctorWeb\Quarantine\A0028349.dll
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\Christina\Local Settings\Application Data\6792247d.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe


==========================================================

Logfile of HijackThis v1.99.1
Scan saved at 10:32:42 PM, on 6/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christina\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R3 - URLSearchHook: (no name) - {15613241-5DDD-3435-39D6-FCBC548D741A} - prgsys0984.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [imekrmig] E:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vbcfgjrA] C:\WINDOWS\vbcfgjrA.exe
O4 - HKLM\..\Run: [6792247d.exe] C:\WINDOWS\System32\6792247d.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwrhbq.exe
O4 - HKLM\..\Run: [89278229.exe] C:\WINDOWS\System32\89278229.exe
O4 - HKLM\..\Run: [ABCXYZ] SetupExeDll.exe
O4 - HKLM\..\Run: [br0ken] BoundRec.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [6792247d.exe] C:\Documents and Settings\Christina\Local Settings\Application Data\6792247d.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [Kargo] ParisM.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg6.cyworld.nate.com/ImageUpload...mageUpload2.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B0A02AAB-94AB-4190-92E2-429B5AC75F50} (SayClub Tachy Download Control) - http://dl.sayclub.com/tachy/dltachy.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D62C6763-3AF7-481A-B31D-02BB6BE1D2EE} (ToonsXYahooKorea Control) - http://comicw2.yahoo.co.kr/download/ToonsXYahooKorea.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{53430CBE-0D2A-49AC-87D9-E6D4293DCCFD}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{2B46B078-CDDD-4E4E-A718-D8619D104C00}: NameServer = 85.255.116.139,85.255.112.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: prwsks - prwsks.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users