Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Back Again-.-


  • This topic is locked This topic is locked
10 replies to this topic

#1 ICYcold

ICYcold

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 26 July 2006 - 05:17 PM

i cant run ad aware, it runs and after awhile it forces my computer to restart. Here's i HJT log i suspect this computer is now worse than my other one. I thought of running ad-aware in safe mode but i wasnt sure and i sort of forgot how to get into safe mode :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 3:15:48 PM, on 7/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Ekmvyww\Izsux.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\FNTS~1\rundll.exe
C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\CHOST~1.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFree.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\interMute\PopSubtract\PopSub.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
c:\dfndref_7.exe
c:\ac3_0010.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
c:\ucmoreiex.exe
C:\WINDOWS\System32\mspfrd.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\mspfrd.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\9da27335998f421b9248f5e8272d07ca.exe
C:\Program Files\em-pee three player\em-pee three.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ykuuq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,kfcycgp.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Ytoeyx] C:\Program Files\Ekmvyww\Izsux.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding [url="http://iesettingsupdate""]http://iesettingsupdate"[/url]
O4 - HKLM\..\Run: [defender] c:\\dfndref_7.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdef_7.exe
O4 - HKLM\..\Run: [tac089d5] RUNDLL32.EXE w116aaed.dll,n 002089d30000000a116aaed
O4 - HKLM\..\Run: [newname] c:\\nwnmef_7.exe
O4 - HKLM\..\RunOnce: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe /k
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\System32\FNTS~1\rundll.exe" -vt ndrv
O4 - HKCU\..\Run: [Dgy] C:\DOCUME~1\Owner\MYDOCU~1\DOBE~1\CHOST~1.EXE
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFree.exe"
O4 - HKCU\..\Run: [Vhjjame] C:\WINDOWS\F?nts\n?pdb.exe
O4 - HKCU\..\Run: [mspfrd] C:\WINDOWS\System32\mspfrd.exe
O4 - HKCU\..\RunOnce: [mspfrd] C:\WINDOWS\System32\mspfrd.exe
O4 - Startup: Epson printer Registration.lnk = F:\Titles\Ereg\English\EPSONREG.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {37802401-C7E2-11D7-8582-0048548470B6} (VRCLoader) - http://www.videoraver.com/vrcloader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107239853421
O16 - DPF: {98827C42-6A82-11D7-8582-0048548470B6} (VideoRaver) - http://www.videoraver.com/videoraver.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83D57B1D-0ADB-46FF-A9FB-3EE03904FD81}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: inicfg32.dll spool32.dll c:\windows\system32\spool32.dll dexplore.dll C:\WINDOWS\System32\dexplore.dll C:\WINDOWS\System32\spool32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\hhetcfg.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:30 PM

Posted 27 July 2006 - 04:48 AM

Hi ICYcold

Please download E2TakeOut by RubbeR DuckY from here:

http://www.malwarebytes.org/E2TakeOut.zip
  • Extract the file to your Desktop
  • Double click E2TakeOut.exe
  • Click the Begin Removal button
  • Wait until the program is finished scanning
  • Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
  • Reboot your computer
  • Once your computer has rebooted E2TakeOut will open and produce a report
  • Please copy/paste that report into your next reply
Look in your control panels add/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.
Reboot and delete this folder if found:
C:\Program Files\PurityScan

If not listed, download and run this uninstaller:
Uninstaller

Tutorial for the uninstaller if needed

Reboot when done and delete this folder if found:
C:\Program Files\PurityScan

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Send:

- a fresh HijackThis log
- combofix log
- E2TakeOut log
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 ICYcold

ICYcold
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 27 July 2006 - 02:45 PM

E2 logfile:

E2TakeOut v1.01 [http://www.malwarebytes.org]

Error Removing! C:\WINDOWS\System32\inicfg32.dll
Removed directory and files! C:\Program Files\E2G
Removed orphaned leftovers
AppInit key reset


combofix log:

Start Time= Thu 07/27/2006 13:50:32.57
Running from: C:\Documents and Settings\Owner\My Documents\filelib\untamedmaster\Downloads

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

13:52:56.12

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *




* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-21 03:43:10 520,192 "C:\WINDOWS\system32\DivXsm.exe"
2006-07-26 03:36:52 77,824 "C:\WINDOWS\system32\mspfrd.exe"
2006-06-28 08:12:20 139,264 "C:\WINDOWS\system32\bqfhkj.dll"
2006-06-21 03:34:22 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-06-21 03:34:22 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-06-21 03:34:22 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-05-19 15:52:28 2,702,848 "C:\WINDOWS\system32\MSHTML.DLL"
2006-05-14 02:13:42 257,536 "C:\WINDOWS\system32\oakley.dll"
2006-06-21 12:44:24 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-05-08 10:50:58 461,824 "C:\WINDOWS\system32\URLMON.DLL"
2006-06-21 16:44:32 115,246 "C:\WINDOWS\system32\ts_chad.exe"
2006-04-28 10:57:16 351,744 "C:\WINDOWS\system32\DXTMSFT.DLL"
2006-05-26 22:19:50 163,840 "C:\WINDOWS\system32\JGDW400.DLL"
2006-05-17 22:58:56 458,752 "C:\WINDOWS\system32\jscript.dll"
2006-04-28 10:58:48 12,288 "C:\WINDOWS\system32\JSPROXY.DLL"
2006-06-21 03:42:58 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-06-25 21:14:10 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-06-22 03:59:18 169,984 "C:\WINDOWS\system32\rasmans.dll"
2006-05-26 15:40:58 1,339,904 "C:\WINDOWS\system32\SHDOCVW.DLL"
2006-06-25 21:12:18 81,920 "C:\WINDOWS\system32\spool32.dll"
2006-06-21 03:42:58 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-06-21 12:44:24 28,672 "C:\WINDOWS\system32\vxblock.dll"
2006-04-28 10:58:58 575,488 "C:\WINDOWS\system32\WININET.DLL"
2006-06-21 03:34:22 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-06-21 03:34:22 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-06-21 03:34:22 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-07-02 12:31:12 278,528 "C:\WINDOWS\system32\pncrt.dll"
2006-06-21 12:44:24 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-06-21 12:44:24 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-07-26 20:38:00 495 "C:\WINDOWS\hvlxi.dll"
2006-06-25 21:11:24 53 "C:\WINDOWS\blocnn.dat"
2006-07-02 12:28:44 3,697 "C:\WINDOWS\mozver.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/25/2006 09:11 PM 53 blocnn.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-21 16:44:32 115,246 "C:\WINDOWS\system32\ts_chad.exe"
2006-06-21 03:43:10 520,192 "C:\WINDOWS\system32\DivXsm.exe"
2006-07-26 03:36:52 77,824 "C:\WINDOWS\system32\mspfrd.exe"
2006-04-28 10:57:16 351,744 "C:\WINDOWS\system32\DXTMSFT.DLL"
2006-05-26 22:19:50 163,840 "C:\WINDOWS\system32\JGDW400.DLL"
2006-05-17 22:58:56 458,752 "C:\WINDOWS\system32\jscript.dll"
2006-04-28 10:58:48 12,288 "C:\WINDOWS\system32\JSPROXY.DLL"
2006-06-21 03:42:58 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-06-25 21:14:10 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-06-22 03:59:18 169,984 "C:\WINDOWS\system32\rasmans.dll"
2006-05-26 15:40:58 1,339,904 "C:\WINDOWS\system32\SHDOCVW.DLL"
2006-06-25 21:12:18 81,920 "C:\WINDOWS\system32\spool32.dll"
2006-06-21 03:42:58 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-06-21 12:44:24 28,672 "C:\WINDOWS\system32\vxblock.dll"
2006-04-28 10:58:58 575,488 "C:\WINDOWS\system32\WININET.DLL"
2006-06-28 08:12:20 139,264 "C:\WINDOWS\system32\bqfhkj.dll"
2006-06-21 03:34:22 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-06-21 03:34:22 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-06-21 03:34:22 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-05-19 15:52:28 2,702,848 "C:\WINDOWS\system32\MSHTML.DLL"
2006-05-14 02:13:42 257,536 "C:\WINDOWS\system32\oakley.dll"
2006-06-21 12:44:24 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-05-08 10:50:58 461,824 "C:\WINDOWS\system32\URLMON.DLL"
2006-06-21 03:34:22 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-06-21 03:34:22 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-06-21 03:34:22 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-07-02 12:31:12 278,528 "C:\WINDOWS\system32\pncrt.dll"
2006-06-21 12:44:24 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-06-21 12:44:24 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-07-26 20:38:00 495 "C:\WINDOWS\hvlxi.dll"
2006-07-02 12:28:44 3,697 "C:\WINDOWS\mozver.dat"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\warebundlenewer.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\network monitor
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\IA


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-27 13:52:48 1064 ( A.... ) "C:\WINDOWS\system32\tac089d5.sys"
2006-07-27 13:52:48 1064 ( A.... ) "C:\WINDOWS\system32\tac089d5.sys"
2006-07-27 12:50:04 ( .D... ) "C:\Program Files\E2G"
2006-07-26 20:42:22 ( .D... ) "C:\Documents and Settings\Owner\Application Data\AVG7"
2006-07-26 20:41:38 ( .D... ) "C:\Program Files\Grisoft"
2006-07-26 20:38:00 495 ( A.... ) "C:\WINDOWS\hvlxi.dll"
2006-07-26 18:46:52 ( .D... ) "C:\Program Files\Call of Duty"
2006-07-26 15:14:52 ( .D... ) "C:\Program Files\HijackThis"
2006-07-26 03:38:20 578560 ( A.... ) "C:\Installer3.exe"
2006-07-26 03:38:12 ( .D... ) "C:\Program Files\TheSearchAccelerator"
2006-07-26 03:37:42 517168 ( A.... ) "C:\ucmoreiex.exe"
2006-07-26 03:37:42 61440 ( A.... ) "C:\WINDOWS\system32\tac089d5.dll"
2006-07-26 03:37:36 29696 ( A.... ) "C:\WINDOWS\system32\w116aaed.dll"
2006-07-26 03:36:52 77824 ( A.... ) "C:\WINDOWS\system32\mspfrd.exe"
2006-07-25 18:10:00 ( .D... ) "C:\Program Files\Common Files\??sembly"
2006-07-24 23:12:14 737280 ( A.... ) "C:\WINDOWS\iun6002.exe"
2006-07-24 23:12:14 ( .D... ) "C:\Program Files\Replay Converter"
2006-07-24 12:32:46 0 ( A.... ) "C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
2006-07-22 15:37:32 ( .D... ) "C:\Documents and Settings\Owner\Application Data\?dobe"
2006-07-21 15:39:44 81920 ( A.... ) "C:\WINDOWS\system32\dexplore.dll"
2006-07-18 20:17:14 ( .D... ) "C:\Documents and Settings\Owner\Application Data\teamspeak2"
2006-07-18 20:16:32 ( .D... ) "C:\Program Files\Teamspeak2_RC2"
2006-07-16 20:43:22 ( .D... ) "C:\Program Files\GPL MPEG Decoder"
2006-07-16 20:43:16 ( .D... ) "C:\Program Files\Quick Video Converter"
2006-07-16 20:35:02 ( .D... ) "C:\Documents and Settings\Owner\Application Data\COWON"
2006-07-14 10:47:28 33085 ( A.... ) "C:\WINDOWS\system32\adrot-uninst.exe"
2006-07-13 23:11:52 58880 ( A.... ) "C:\WINDOWS\system32\adrotate.dll"
2006-07-13 13:13:42 36864 ( A.... ) "C:\WINDOWS\system32\tdopciow.exe"
2006-07-10 14:21:00 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Leadertech"
2006-07-10 14:20:04 ( .D... ) "C:\Program Files\EPSON Print CD"
2006-07-10 14:19:08 ( .D... ) "C:\Program Files\EPSON"
2006-07-09 19:50:06 ( .D... ) "C:\Program Files\Panicware"
2006-07-08 17:08:28 ( .D... ) "C:\Program Files\World of Warcraft"
2006-07-07 13:05:10 ( .D... ) "C:\Program Files\IrfanView"
2006-07-03 14:40:52 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-07-03 14:40:52 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-07-03 14:40:50 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-07-03 14:40:50 620180 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-07-02 12:31:44 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-07-02 12:31:34 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-07-02 12:31:20 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-07-02 12:31:20 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-07-02 12:31:12 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-07-02 12:04:28 ( .D... ) "C:\Program Files\Common Files\?asks"
2006-07-01 17:46:26 ( .D... ) "C:\Program Files\?dobe"
2006-06-29 08:04:58 ( .D... ) "C:\Program Files\Common Files\Blizzard Entertainment"
2006-06-28 08:12:20 139264 ( A.... ) "C:\WINDOWS\system32\bqfhkj.dll"
2006-06-26 00:20:22 405504 ( A.... ) "C:\WINDOWS\system32\irsmhpas.dll"
2006-06-25 23:00:30 ( .D... ) "C:\Program Files\apsi"
2006-06-25 22:45:06 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Lavasoft"
2006-06-25 22:44:52 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-25 21:17:28 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Google"
2006-06-25 21:14:16 114688 ( A.... ) "C:\WINDOWS\system32\irssyncd.exe"
2006-06-25 21:14:14 36864 ( A.... ) "C:\WINDOWS\system32\tdopugif.exe"
2006-06-25 21:14:10 24576 ( A.... ) "C:\WINDOWS\system32\msxml3a.dll"
2006-06-25 21:12:24 93634 ( A.SH. ) "C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe"
2006-06-25 21:12:18 81920 ( A.... ) "C:\WINDOWS\system32\spool32.dll"
2006-06-25 21:12:00 53248 ( ..... ) "C:\WINDOWS\system32\inicfg32.dll"
2006-06-25 21:12:00 32768 ( A.... ) "C:\WINDOWS\unstall.exe"
2006-06-25 21:11:58 359570 ( A.... ) "C:\WINDOWS\chad_bundle.exe"
2006-06-25 21:11:52 178726 ( A.... ) "C:\WINDOWS\YazzleBundle-1119.exe"
2006-06-25 21:11:40 102400 ( A.... ) "C:\WINDOWS\mirar.exe"
2006-06-25 21:11:36 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-06-25 21:11:22 226536 ( A.... ) "C:\WINDOWS\whCC-GIANT.exe"
2006-06-25 21:11:22 ( .D... ) "C:\Program Files\whInstall"
2006-06-24 20:48:48 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-24 10:10:54 ( .D... ) "C:\Program Files\MsnMusic"
2006-06-24 06:42:12 99965 ( A.... ) "C:\WINDOWS\UninstallFirefox.exe"
2006-06-24 00:54:04 ( .D... ) "C:\Program Files\em-pee three player"
2006-06-21 16:44:32 115246 ( A.... ) "C:\WINDOWS\system32\ts_chad.exe"
2006-06-21 16:43:42 235165 ( A.... ) "C:\WINDOWS\system32\icon_chad.exe"
2006-06-21 15:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 15:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-06-21 12:44:24 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-06-21 12:44:24 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"
2006-06-21 03:49:48 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-06-21 03:43:10 520192 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-06-21 03:43:06 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-06-21 03:42:58 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-06-21 03:42:58 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-06-21 03:34:22 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-06-21 03:34:22 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-06-21 03:34:22 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-06-21 03:34:22 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-06-21 03:34:22 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-06-21 03:34:22 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-06-21 03:34:22 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-06-21 03:33:42 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-06-21 03:33:42 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"
2006-06-17 22:43:08 ( .D... ) "C:\Program Files\DIFX"
2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-14 11:40:38 ( .D... ) "C:\Program Files\Microsoft ActiveSync"
2006-06-14 11:40:26 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-05-14 02:13:42 364544 ( A.... ) "C:\WINDOWS\system32\ipsmsnap.dll"
2006-05-14 02:13:42 334848 ( A.... ) "C:\WINDOWS\system32\ipsecsnp.dll"
2006-05-14 02:13:42 257536 ( A.... ) "C:\WINDOWS\system32\oakley.dll"
2006-05-14 02:13:42 159744 ( A.... ) "C:\WINDOWS\system32\ipsecsvc.dll"
2006-05-14 02:13:42 98304 ( A.... ) "C:\WINDOWS\system32\polstore.dll"
2006-05-14 02:13:42 29184 ( A.... ) "C:\WINDOWS\system32\winipsec.dll"
2006-05-02 23:43:16 10920 ( A.... ) "C:\aolconnfix.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-26 03:38 578,560 C:\Installer3.exe
2006-07-26 03:37 61,440 C:\WINDOWS\system32\tac089d5.dll
2006-07-26 03:37 517,168 C:\ucmoreiex.exe
2006-07-26 03:37 29,696 C:\WINDOWS\system32\w116aaed.dll
2006-07-26 03:37 1,064 C:\WINDOWS\system32\tac089d5.sys
2006-07-26 03:36 77,824 C:\WINDOWS\system32\mspfrd.exe
2006-07-24 23:27 75,264 C:\WINDOWS\system32\zlib1.dll
2006-07-24 23:12 737,280 C:\WINDOWS\iun6002.exe
2006-07-23 15:43 139,264 C:\WINDOWS\system32\bqfhkj.dll
2006-07-21 15:39 81,920 C:\WINDOWS\system32\dexplore.dll
2006-07-16 16:17 109,568 C:\WINDOWS\system32\pxinsi64.exe
2006-07-16 16:17 108,544 C:\WINDOWS\system32\pxcpyi64.exe
2006-07-13 23:11 58,880 C:\WINDOWS\system32\adrotate.dll
2006-07-13 13:13 36,864 C:\WINDOWS\system32\tdopciow.exe
2006-07-10 14:20 45,056 C:\WINDOWS\system32\EpPicPrt.dll
2006-07-10 14:20 45,056 C:\WINDOWS\system32\EpPicMgr.dll
2006-07-10 14:20 413,696 C:\WINDOWS\system32\PICSDK.dll
2006-07-10 14:19 82,944 C:\WINDOWS\system32\EAL.EXE
2006-07-10 14:19 79,654 C:\WINDOWS\system32\E_FLM9FA.DLL
2006-07-10 14:19 64,000 C:\WINDOWS\system32\E_FBCB9FA.DLL
2006-07-10 14:19 34,304 C:\WINDOWS\system32\E_FBCH9FA.DLL
2006-07-10 14:19 309,760 C:\WINDOWS\system32\EAL32.DLL
2006-07-06 17:01 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-06 17:01 49,248 C:\WINDOWS\system32\java.exe
2006-07-06 17:01 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-03 14:40 778,240 C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 14:40 778,240 C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 14:40 761,856 C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 14:40 620,180 C:\WINDOWS\system32\DivX.dll
2006-06-26 00:20 405,504 C:\WINDOWS\system32\irsmhpas.dll
2006-06-25 21:15 33,085 C:\WINDOWS\system32\adrot-uninst.exe
2006-06-25 21:14 36,864 C:\WINDOWS\system32\tdopugif.exe
2006-06-25 21:14 24,576 C:\WINDOWS\system32\msxml3a.dll
2006-06-25 21:14 114,688 C:\WINDOWS\system32\irssyncd.exe
2006-06-25 21:12 81,920 C:\WINDOWS\system32\spool32.dll
2006-06-25 21:11 53,248 C:\WINDOWS\system32\inicfg32.dll
2006-06-25 21:11 495 C:\WINDOWS\hvlxi.dll
2006-06-25 21:11 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-06-25 21:11 359,570 C:\WINDOWS\chad_bundle.exe
2006-06-25 21:11 32,768 C:\WINDOWS\unstall.exe
2006-06-25 21:11 226,536 C:\WINDOWS\whCC-GIANT.exe
2006-06-25 21:11 178,726 C:\WINDOWS\YazzleBundle-1119.exe
2006-06-25 21:11 102,400 C:\WINDOWS\mirar.exe
2006-06-24 06:17 253,952 C:\WINDOWS\SBCDSL.exe
2006-06-21 16:44 115,246 C:\WINDOWS\system32\ts_chad.exe
2006-06-21 16:43 235,165 C:\WINDOWS\system32\icon_chad.exe
2006-06-21 15:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 15:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
2006-06-21 03:49 53,248 C:\WINDOWS\system32\dpuGUI10.dll
2006-06-21 03:43 520,192 C:\WINDOWS\system32\DivXsm.exe
2006-06-21 03:43 3,596,288 C:\WINDOWS\system32\qt-dx331.dll
2006-06-21 03:42 200,704 C:\WINDOWS\system32\ssldivx.dll
2006-06-21 03:42 1,044,480 C:\WINDOWS\system32\libdivx.dll
2006-06-21 03:34 90,112 C:\WINDOWS\system32\dpl100.dll
2006-06-21 03:34 593,920 C:\WINDOWS\system32\dpuGUI11.dll
2006-06-21 03:34 57,344 C:\WINDOWS\system32\dpv11.dll
2006-06-21 03:34 344,064 C:\WINDOWS\system32\dpus11.dll
2006-06-21 03:34 294,912 C:\WINDOWS\system32\dpu11.dll
2006-06-21 03:34 294,912 C:\WINDOWS\system32\dpu10.dll
2006-06-21 03:34 200,704 C:\WINDOWS\system32\dtu100.dll
2006-06-21 03:33 12,288 C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-21 03:33 118,784 C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-16 14:34 48,936 C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"VTTimer"="VTTimer.exe"
"LTMSG"="LTMSG.exe 7"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"EarthLink Installer"="\" /C"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"Ytoeyx"="C:\\Program Files\\Ekmvyww\\Izsux.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"EPSON Stylus Photo R320 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9FA.EXE /P30 \"EPSON Stylus Photo R320 Series\" /O6 \"USB001\" /M \"Stylus Photo R320\""
"adstart"="\"iexplore.exe\" \"-embedding [url="http://iesettingsupdate\"""]http://iesettingsupdate\""[/url]
"tac089d5"="RUNDLL32.EXE w116aaed.dll,n 002089d30000000a116aaed"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"irssyncd"="C:\\WINDOWS\\System32\\irssyncd.exe"
@=""
"RealPlayer"="\"C:\\Program Files\\Real\\RealOne Player\\realplay.exe\" /RunUPGToolCommandReBoot"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"PopUpStopperProfessional"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\POPUPS~1.EXE\""
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~3\\PSFree.exe\""
"Vhjjame"="C:\\WINDOWS\\F?nts\\n?pdb.exe"
"mspfrd"="C:\\WINDOWS\\System32\\mspfrd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"mspfrd"="C:\\WINDOWS\\System32\\mspfrd.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"mspfrd"="C:\\WINDOWS\\System32\\mspfrd.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="http://myspace-886.vo.llnwd.net/00167/68/81/167881886_s.jpg"
"SubscribedURL"="http://myspace-886.vo.llnwd.net/00167/68/81/167881886_s.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,d2,03,00,00,6e,01,00,00,5a,00,00,00,44,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""




Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Thu 07/27/2006 14:00:22.82
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-27.135032.txt


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:09:55 PM, on 7/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFree.exe
C:\WINDOWS\F?nts\n?pdb.exe
C:\WINDOWS\System32\mspfrd.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\mspfrd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmhpas.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Ytoeyx] C:\Program Files\Ekmvyww\Izsux.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding [url="http://iesettingsupdate""]http://iesettingsupdate"[/url]
O4 - HKLM\..\Run: [tac089d5] RUNDLL32.EXE w116aaed.dll,n 002089d30000000a116aaed
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFree.exe"
O4 - HKCU\..\Run: [Vhjjame] C:\WINDOWS\F?nts\n?pdb.exe
O4 - HKCU\..\Run: [mspfrd] C:\WINDOWS\System32\mspfrd.exe
O4 - HKCU\..\RunOnce: [mspfrd] C:\WINDOWS\System32\mspfrd.exe
O4 - Startup: Epson printer Registration.lnk = F:\Titles\Ereg\English\EPSONREG.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {37802401-C7E2-11D7-8582-0048548470B6} (VRCLoader) - http://www.videoraver.com/vrcloader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107239853421
O16 - DPF: {98827C42-6A82-11D7-8582-0048548470B6} (VideoRaver) - http://www.videoraver.com/videoraver.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83D57B1D-0ADB-46FF-A9FB-3EE03904FD81}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: inicfg32.dll, spool32.dll c:\windows\system32\spool32.dll dexplore.dll C:\WINDOWS\System32\dexplore.dll C:\WINDOWS\System32\spool32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I noticed a few things in the HJT log, it had links to random websites...are those things causing all the pop ups on my computer?

thank for helping be also shaba -thumbs up-

Edited by ICYcold, 27 July 2006 - 04:12 PM.


#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:30 PM

Posted 28 July 2006 - 02:17 AM

Hi

Looking better but still lots to do.

First of all E2takeout didn't work so we need other tools.

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmhpas.dll
O4 - HKLM\..\Run: [Ytoeyx] C:\Program Files\Ekmvyww\Izsux.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding [url="http://iesettingsupdate""]http://iesettingsupdate"[/url]
O4 - HKLM\..\Run: [tac089d5] RUNDLL32.EXE w116aaed.dll,n 002089d30000000a116aaed
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\Run: [Vhjjame] C:\WINDOWS\F?nts\n?pdb.exe
O4 - HKCU\..\Run: [mspfrd] C:\WINDOWS\System32\mspfrd.exe
O4 - HKCU\..\RunOnce: [mspfrd] C:\WINDOWS\System32\mspfrd.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O20 - AppInit_DLLs: inicfg32.dll, spool32.dll c:\windows\system32\spool32.dll dexplore.dll C:\WINDOWS\System32\dexplore.dll C:\WINDOWS\System32\spool32.dll


Close all windows including browser and press fix checked.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Program Files\E2G
C:\Program Files\Common Files\??sembly
C:\Program Files\Common Files\?asks
C:\Program Files\?dobe
C:\Program Files\apsi
C:\Program Files\whInstall
C:\Program Files\Ekmvyww

Files to delete:
C:\WINDOWS\system32\tac089d5.sys
C:\WINDOWS\hvlxi.dll
C:\Installer3.exe
C:\ucmoreiex.exe
C:\WINDOWS\system32\tac089d5.dll
C:\WINDOWS\system32\w116aaed.dll
C:\WINDOWS\system32\mspfrd.exe
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\dexplore.dll
C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\system32\adrotate.dll
C:\WINDOWS\system32\tdopciow.exe
C:\WINDOWS\system32\bqfhkj.dll
C:\WINDOWS\system32\irsmhpas.dll
C:\WINDOWS\system32\irssyncd.exe
C:\WINDOWS\system32\tdopugif.exe
C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe
C:\WINDOWS\system32\spool32.dll
C:\WINDOWS\system32\inicfg32.dll
C:\WINDOWS\unstall.exe
C:\WINDOWS\chad_bundle.exe
C:\WINDOWS\YazzleBundle-1119.exe
C:\WINDOWS\mirar.exe
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\system32\ts_chad.exe
C:\WINDOWS\system32\icon_chad.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Send:

- a fresh HijackThis log
- C:\avenger.txt
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 ICYcold

ICYcold
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 28 July 2006 - 02:29 AM

I got this error from HJT after clicking fix selected

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: inicfg32.dll, spool32.dll c:\windows\system32\spool32.dll dexplore.dll C:\WINDOWS\System32\dexplore.dll C:\WINDOWS\System32\spool32.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

#6 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:30 PM

Posted 28 July 2006 - 02:36 AM

Hi

That's ok. Just continue with my previous instructions :thumbsup:
Microsoft MVP Consumer Security
Posted Image

Posted Image

#7 ICYcold

ICYcold
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 28 July 2006 - 02:59 AM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cwtlaksb

*******************

Script file located at: \??\C:\qfetlabd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Program Files\E2G deleted successfully.


Could not open folder C:\Program Files\Common Files\??sembly for deletion
Deletion of folder C:\Program Files\Common Files\??sembly failed!

Could not process line:
C:\Program Files\Common Files\??sembly
Status: 0xc0000033



Could not open folder C:\Program Files\Common Files\?asks for deletion
Deletion of folder C:\Program Files\Common Files\?asks failed!

Could not process line:
C:\Program Files\Common Files\?asks
Status: 0xc0000033



Could not open folder C:\Program Files\?dobe for deletion
Deletion of folder C:\Program Files\?dobe failed!

Could not process line:
C:\Program Files\?dobe
Status: 0xc0000033

Folder C:\Program Files\apsi deleted successfully.
Folder C:\Program Files\whInstall deleted successfully.
Folder C:\Program Files\Ekmvyww deleted successfully.
File C:\WINDOWS\system32\tac089d5.sys deleted successfully.
File C:\WINDOWS\hvlxi.dll deleted successfully.
File C:\Installer3.exe deleted successfully.
File C:\ucmoreiex.exe deleted successfully.
File C:\WINDOWS\system32\tac089d5.dll deleted successfully.
File C:\WINDOWS\system32\w116aaed.dll deleted successfully.
File C:\WINDOWS\system32\mspfrd.exe deleted successfully.
File C:\WINDOWS\iun6002.exe deleted successfully.
File C:\WINDOWS\system32\dexplore.dll deleted successfully.
File C:\WINDOWS\system32\adrot-uninst.exe deleted successfully.
File C:\WINDOWS\system32\adrotate.dll deleted successfully.
File C:\WINDOWS\system32\tdopciow.exe deleted successfully.
File C:\WINDOWS\system32\bqfhkj.dll deleted successfully.


File C:\WINDOWS\system32\irsmhpas.dll not found!
Deletion of file C:\WINDOWS\system32\irsmhpas.dll failed!

Could not process line:
C:\WINDOWS\system32\irsmhpas.dll
Status: 0xc0000034

File C:\WINDOWS\system32\irssyncd.exe deleted successfully.
File C:\WINDOWS\system32\tdopugif.exe deleted successfully.
File C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe deleted successfully.
File C:\WINDOWS\system32\spool32.dll deleted successfully.
File C:\WINDOWS\system32\inicfg32.dll deleted successfully.
File C:\WINDOWS\unstall.exe deleted successfully.
File C:\WINDOWS\chad_bundle.exe deleted successfully.
File C:\WINDOWS\YazzleBundle-1119.exe deleted successfully.
File C:\WINDOWS\mirar.exe deleted successfully.
File C:\WINDOWS\media_motor_bundle.exe deleted successfully.
File C:\WINDOWS\whCC-GIANT.exe deleted successfully.
File C:\WINDOWS\system32\ts_chad.exe deleted successfully.
File C:\WINDOWS\system32\icon_chad.exe deleted successfully.
File C:\WINDOWS\system32\icon_mediamotor.exe deleted successfully.
File C:\WINDOWS\system32\ts_mediamotor.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.


Infected Object Name Virus Name Last Action
C:\avenger\backup.zip/avenger/bqfhkj.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\avenger\backup.zip/avenger/chad_bundle.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/chad_bundle.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/chad_bundle.exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/chad_bundle.exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/chad_bundle.exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/chad_bundle.exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/chad_bundle.exe Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/dexplore.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\avenger\backup.zip/avenger/E2G/IeBHOs.dll Infected: not-a-virus:AdWare.Win32.E2Give.d skipped
C:\avenger\backup.zip/avenger/icon_chad.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/icon_chad.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/icon_chad.exe Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/icon_mediamotor.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/icon_mediamotor.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/icon_mediamotor.exe Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/inicfg32.dll Infected: not-a-virus:AdWare.Win32.E2Give.e skipped
C:\avenger\backup.zip/avenger/Installer3.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\avenger\backup.zip/avenger/media_motor_bundle.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/media_motor_bundle.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/media_motor_bundle.exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/media_motor_bundle.exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/media_motor_bundle.exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/media_motor_bundle.exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/media_motor_bundle.exe Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\avenger\backup.zip/avenger/mirar.exe Infected: not-a-virus:AdWare.Win32.NetNucleus skipped
C:\avenger\backup.zip/avenger/mspfrd.exe Infected: Trojan-Spy.Win32.VB.eh skipped
C:\avenger\backup.zip/avenger/spool32.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\avenger\backup.zip/avenger/ts_chad.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/ts_chad.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/ts_chad.exe Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/ts_mediamotor.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/ts_mediamotor.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/ts_mediamotor.exe Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\avenger\backup.zip/avenger/ucmoreiex.exe/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\avenger\backup.zip/avenger/ucmoreiex.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\avenger\backup.zip/avenger/ucmoreiex.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\avenger\backup.zip/avenger/ucmoreiex.exe Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\avenger\backup.zip/avenger/unstall.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\avenger\backup.zip/avenger/whCC-GIANT.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\avenger\backup.zip/avenger/whCC-GIANT.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\avenger\backup.zip/avenger/whCC-GIANT.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\avenger\backup.zip/avenger/whCC-GIANT.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\avenger\backup.zip/avenger/whCC-GIANT.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\avenger\backup.zip/avenger/whCC-GIANT.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\avenger\backup.zip/avenger/whCC-GIANT.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\avenger\backup.zip/avenger/YazzleBundle-1119.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\avenger\backup.zip/avenger/YazzleBundle-1119.exe Infected: Trojan.Win32.Scapur.k skipped
C:\avenger\backup.zip ZIP: infected - 48 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-160dd9ae-43b32175.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-160dd9ae-43b32175.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-160dd9ae-43b32175.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-160dd9ae-43b32175.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ed9ba21-6523d6e1.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ed9ba21-6523d6e1.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ed9ba21-6523d6e1.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3ed9ba21-6523d6e1.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-516ac74a-1219ab22.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-516ac74a-1219ab22.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-516ac74a-1219ab22.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-516ac74a-1219ab22.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7a36a7be-58a2b128.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7a36a7be-58a2b128.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7a36a7be-58a2b128.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7a36a7be-58a2b128.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Owner\Desktop\backups\backup-20060728-002628-350.dll Infected: not-a-virus:AdWare.Win32.E2Give.d skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CIBEZMSN\!update-4095[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5UZSTIN\xp-cydoor-728[1].swf Infected: not-virus:Hoax.SWF.Alerter.a skipped
C:\Documents and Settings\Owner\My Documents\filelib\untamedmaster\Downloads\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\Owner\My Documents\filelib\untamedmaster\Downloads\OiUninstaller.exe NSIS: infected - 1 skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Media Gateway\MediaGateway.exe Infected: not-a-virus:AdWare.Win32.WinAD.be skipped
C:\Program Files\Mozilla Firefox\plugins\npzango.dll Infected: not-a-virus:AdWare.Win32.WinAD.be skipped
C:\Program Files\Preview AdService\PrevAdComm.dll Infected: not-a-virus:AdWare.Win32.WinAD.ab skipped
C:\Program Files\TheSearchAccelerator\IUCmore.dll Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP278\A0024699.sys Infected: not-a-virus:RiskTool.Win32.XCP.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027407.exe Infected: not-a-virus:AdWare.Win32.Gator.6034 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027408.exe Infected: not-a-virus:AdWare.Win32.Gator.3010 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027409.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027410.dll Infected: not-a-virus:AdWare.Win32.Gator.m skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027411.dll Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027412.dll Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027413.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027414.exe Infected: not-a-virus:AdWare.Win32.Gator.5112 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027416.exe Infected: not-a-virus:AdWare.Win32.Gator.g skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027664.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP327\A0027665.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP329\A0029700.exe Infected: not-a-virus:AdWare.Win32.ShopAtHome.d skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP329\A0029702.exe Infected: not-a-virus:AdWare.Win32.Sahat.bg skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP331\A0030663.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP335\A0031322.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP337\A0031432.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP337\A0031433.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP337\A0031435.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP337\A0031436.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031596.dll Infected: not-a-virus:AdWare.Win32.Mirar.b skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031597.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031616.dll Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031617.dll Infected: not-a-virus:AdWare.Win32.Gator.m skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031618.dll Infected: not-a-virus:AdWare.Win32.Gator.6051 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031619.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031620.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031621.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031622.dll Infected: not-a-virus:AdWare.Win32.Gator.6051 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031623.dll Infected: not-a-virus:AdWare.Win32.Gator.6051 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031625.dll Infected: not-a-virus:AdWare.Win32.Gator.6051 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031626.dll Infected: not-a-virus:AdWare.Win32.Gator.6051 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031627.dll Infected: not-a-virus:AdWare.Win32.Gator.m skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031632.exe Infected: not-a-virus:AdWare.Win32.DashBar.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031636.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031637.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031639.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031679.exe Infected: not-a-virus:AdWare.Win32.Sahat.au skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031681.exe Infected: not-a-virus:AdWare.Win32.Sahat.bi skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031682.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP342\A0031683.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP349\A0035322.dll Infected: not-a-virus:AdWare.Win32.E2Give.d skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP356\A0036948.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP364\A0037767.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP365\A0037787.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP365\A0037788.exe Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP366\A0037888.dll Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP367\A0037933.dll Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040136.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040137.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040138.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040139.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040221.dll Infected: not-a-virus:AdWare.Win32.E2Give.d skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040288.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040294.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040295.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP370\A0040296.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040415.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040416.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040416.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040416.exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040416.exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040416.exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040416.exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040416.exe NSIS: infected - 6 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040417.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040418.dll Infected: not-a-virus:AdWare.Win32.E2Give.d skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040420.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040420.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040420.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040421.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040421.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040421.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040422.dll Infected: not-a-virus:AdWare.Win32.E2Give.e skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040423.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040426.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040426.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040426.exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040426.exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040426.exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040426.exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040426.exe NSIS: infected - 6 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040427.exe Infected: not-a-virus:AdWare.Win32.NetNucleus skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040428.exe Infected: Trojan-Spy.Win32.VB.eh skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040429.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040434.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040434.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040434.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040435.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040435.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040435.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040437.exe/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040437.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040437.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040437.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040437.exe WiseSFX Dropper: infected - 3 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040439.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040442.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040442.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040442.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040442.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040442.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040442.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040442.exe RarSFX: infected - 6 skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040446.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP371\A0040446.exe NSIS: infected - 1 skipped
C:\WINDOWS\Downloaded Program Files\amm06.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll Infected: not-a-virus:AdWare.Win32.Gator.1101 skipped
C:\WINDOWS\Fοnts\nоpdb.exe Infected: not-a-virus:AdWare.Win32.PurityScan.em skipped
C:\WINDOWS\system32\nsk346.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
Scan process completed.



HJT


Logfile of HijackThis v1.99.1
Scan saved at 8:27:55 AM, on 7/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\FNTS~1\NPDB~1.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\em-pee three player\em-pee three.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [] C:\WINDOWS\FNTS~1\NPDB~1.EXE
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFree.exe"
O4 - HKCU\..\Run: [mspfrd] C:\WINDOWS\System32\mspfrd.exe
O4 - Startup: Epson printer Registration.lnk = F:\Titles\Ereg\English\EPSONREG.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {37802401-C7E2-11D7-8582-0048548470B6} (VRCLoader) - http://www.videoraver.com/vrcloader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107239853421
O16 - DPF: {98827C42-6A82-11D7-8582-0048548470B6} (VideoRaver) - http://www.videoraver.com/videoraver.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{83D57B1D-0ADB-46FF-A9FB-3EE03904FD81}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by ICYcold, 28 July 2006 - 10:29 AM.


#8 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:30 PM

Posted 28 July 2006 - 11:29 AM

Hi

Uninstall via add/remove programs (control panel)

MediaGateway
TheSearchAccelerator
Preview AdService

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O4 - HKCU\..\Run: [] C:\WINDOWS\FNTS~1\NPDB~1.EXE


Close all windows including browser and press fix checked.

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Boot in safe mode -> http://www.pchell.com/support/safemode.shtml

Delete these if found:

C:\Program Files\Media Gateway
C:\Program Files\Mozilla Firefox\plugins\npzango.dll
C:\Program Files\Preview AdService
C:\Program Files\TheSearchAccelerator
C:\WINDOWS\Downloaded Program Files\amm06.ocx
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll
C:\WINDOWS\Fοnts\nоpdb.exe
C:\WINDOWS\system32\nsk346.dll

Reboot

Download and run this tool -> http://securityresponse.symantec.com/avcenter/FixRyknos.exe

Go here and download and install JRE 5.0 Update 7. Click the link that says Download JRE 5.0 Update 7. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-1_5_0_07-windows-i586-p.exe to start the install. Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 5.0 Update 3.

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#9 ICYcold

ICYcold
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 28 July 2006 - 12:08 PM

i cant find media gateway and preview adservice in my ad or remove program list. Should they be there?

#10 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:30 PM

Posted 28 July 2006 - 12:14 PM

Hi

If you can't find them, just move on :thumbsup:
Microsoft MVP Consumer Security
Posted Image

Posted Image

#11 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:30 PM

Posted 04 August 2006 - 02:38 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users