Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multitude Of Malware, Adware, Trojans, Etc., Can't Remove Permanently


  • This topic is locked This topic is locked
29 replies to this topic

#1 Hostis Deus

Hostis Deus

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 30 July 2006 - 01:48 AM

I'm not sure how it all got there, but at one point, I got SpyWare Quake, among a few other baddies floating around my compy. Since then, I have used the following programs to attempt to remove the bad files:

AdAware SE, Spybot Search and Destroy, roguescanfix & smitRem (for the SpyWare Quake), McAfee Sting, and McAfee VirusScan.

All have the latest patches and definitions, my Windows XP is all updated, and no matter how many times I run each program, and no matter how many times I delete each trojan and adware program and tracker, they keep regenerating. If I run AdAware once, for example, and get rid of all the files it detects, two days later it'll detect around 60+ new files.

The effects of these files, other than slowing my computer and making me avoid entering credit card info (haha, like I have money on any of them anyway), is that every 2-5 minutes or so a new popup will pop up, offering me many excellent deals on such things as online casinos, Adult FriendFinder, free video downloads, and (the current popup) Sex and the City season DVDs. I feel like I get fewer ads watching TV. Oh, and I don't have to browse the internet to get the popups. If I just leave my compy idle for an hour, I'll have a dozen or more ads to close.

One more annoying effect is that after about 10 minutes, a flashing icon appears in my taskbar that, every 15 seconds, pops up a message saying, "System Alert: Spyware Detected. System has detected 4 active spyware applications that may cause your computer to crash and restart, slow to a crawl, and even shut down it entirely. Click the icon to get rid of unwanted spyware."

Please help me, someone!

HijackThis logfile below:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:07 AM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\1138257019\ee\AOLSoftware.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\ipwins\ipwins.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\Common Files\{F47C1168-0898-1033-0205-050408050001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\COMMON~1\wurq\wurqm.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TClock\TClock.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138257019\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [wurq] C:\PROGRA~1\COMMON~1\wurq\wurqm.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetl...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122936399062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137306532125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



THANKS A TON!

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:09 AM

Posted 30 July 2006 - 01:26 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware. Do not run a scan just yet. We will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

  • Clean out your Temporary Internet files
    • Close Internet Explorer and close any instances of Windows Explorer.
    • Click Start -> Control Panel and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    IMPORTANT: Close all windows and do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.

  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.
===============


I also need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Hostis Deus

Hostis Deus
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 31 July 2006 - 05:28 AM

Well, thanks for the help, Sam... unfortunately, my compy's not letting me try your ideas.

Two more problems have come up, and they're pretty frightening. First, I tried to do as you said and restart in safe mode. It wouldn't do it. As it was booting up files (still in the "black screen/DOS text mode"), it suddenly cuts off, restarts the computer, and goes to a screen (again the black screen with DOS text) that says "We appologize for the inconvenience, but Windows is unable to start up in safe mode," or something to that effect. It then gives me the option of either trying safe mode again (which fails), or starting up Windows normally. I didn't get a chance to read the entire screen, because after 30 seconds it automatically chooses to start Windows normally.

Second problem seems a lot less insidious. I tried to get the right HijackThis log, but I did exactly what you said, and when I click "Save List," HijackThis closes and no Notepad opens up.

I really hope you can help me...

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:09 AM

Posted 31 July 2006 - 07:55 AM

First let's get the info we need a different way.


Open notepad and copy and paste this text in it:

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" >> %systemdrive%\look.txt
cd\
cd %appdata%
dir /ad /o:-d /p >> %systemdrive%\look.txt
cd %allusersprofile%\Application Data
dir /ad /o:-d /p >> %systemdrive%\look.txt
cd %ProgramFiles%
dir /ad /o:-d /p >> %systemdrive%\look.txt
cd %ProgramFiles%\Common Files
dir /ad /o:-d /p >> %systemdrive%\look.txt
start notepad %systemdrive%\look.txt

Save this as look.bat
Change the "Save As Type" to "All Files" and save it on your desktop.
Doubleclick look.bat and post the content of the txtfile you get in your next reply.



===============


Then go ahead and run the steps with Ewido in normal mode.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Hostis Deus

Hostis Deus
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 01 August 2006 - 10:36 PM

Alright, here's what I got from look.bat:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\274c5407c4fa26908310cb5c1c410000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AdobeESD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AheadManual!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AOL Uninstaller

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Blubster 2.5

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ewidoantispyware4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Galactic Civilizations II

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Galactic Civilizations II Desktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GameSpy Arcade

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GoogleVideoPlayer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Photo & Imaging

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{59C4F14F-7590-45FC-BE9F-A67AB3590709}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{929408E6-D265-4174-805F-81D1D914E2A4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IpWins

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB873333

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB873339

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB883939

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885250

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885835

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885836

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885884

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB886185

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887472

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887742

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887797

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888302

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890046

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890859

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB891781

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893066

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893086

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893756

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803v2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB894391

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896344

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896358

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896422

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896423

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896424

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896428

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896688

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896727

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB898461

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899587

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899588

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899589

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899591

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB900485

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB900725

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB900930

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB901017

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB901214

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB902400

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB903235

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB904706

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB905414

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB905749

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB905915

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB908519

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB908531

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB910437

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911280

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911562

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911564

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911565

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911567

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911927

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB912812

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB912919

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB913446

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB913580

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB914388

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB914389

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB916281

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB916595

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917159

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917344

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917734_WMP10

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917953

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB918439

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\M886903

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Macromedia Shockwave Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 1.1 (1033)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Money2005b

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (1.5.0.5)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MRW!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30a-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-Beta

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nero - Burning Rom!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroMultiInstaller!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroVision!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NMPUninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVEContent!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVIDIA Drivers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Panda ActiveScan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PhotoShow Deluxe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PictureItPrem_v10

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RealJukebox 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RealPlayer 6.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rise of Nations Thrones and Patriots

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RiseOfNations 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Roguescanfix_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ruckus Network Client

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ruckus Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Starcraft

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ToolBar888

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VN_VUIns_Rhine_VIA

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WGA

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winamp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Format Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinMX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Works2005Setup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XviD_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Y1123Oin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01501EBA-EC35-4F9F-8889-3BE346E5DA13}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11B569C2-4BF6-4ED0-9D17-A4273943CB24}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{121ECDB5-5DBE-498A-909D-A971C0F4A337}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F7473D9-6C0B-4F5A-8FA4-AB8AD78CBE54}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{242AE0D4-A90D-4954-A90E-2C6FF4ECA31A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C8FBF7-26C6-48ca-834B-A4E5C09E362F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{257EC58E-03FD-472B-A9B6-93F23A3C4CB0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29B50D30-EAFC-4cea-9F76-3A0E3729E9B0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E132061-C78A-48D4-A899-1D13B9D189FA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{300D9EF4-2721-4cb4-A6C3-FB2337CFEA2D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150050}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0150050}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{34957B51-9676-41CE-9E52-44AE91B73F1C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F262ADC-5AD2-48E5-A586-44315E04A9E2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{415B8A4E-0EA2-4C69-975C-EEE07B837FD7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{42756145-9997-4D28-809B-8756BFD00106}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{48242276-DB89-42e8-9678-BD4280D7B99A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{59C4F14F-7590-45FC-BE9F-A67AB3590709}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5DF3D1BB-894E-4DCD-8275-159AC9829B43}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6231FDA0-7E6F-11D4-A671-006008D09831}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63F2408D-A675-4d97-A256-70EACB6B9B4A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68249B75-B714-11D7-88E8-0050DA21757E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{723C033E-63EA-4227-BAB2-0AA8693C16EB}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{745A92AF-53B4-41A7-91C3-9B026B1D5897}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77C10EF2-E398-45C5-BEA0-06D31AE59E26}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7AD35FDD-A268-44b7-9A8E-4677020CC90B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{81DD5688-695A-4c1d-AE7D-368BF857725A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8777AC6D-89F9-4793-8266-DE406F343E89}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{901B0409-6000-11D3-8CFE-0050048383C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90280409-6000-11D3-8CFE-0050048383C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929408E6-D265-4174-805F-81D1D914E2A4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{980606BB-A475-4a85-A665-6E30DB2F28B3}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B03C535-3AEA-4ef2-B326-0A01A2207034}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F7FC79B-3059-4264-9450-39EB368E3225}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A2500497-FD32-493e-B8E5-28D6728DBEF5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A4D7B764-4140-11D4-88EB-0050DA3579C0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A71822CD-7F77-46a3-B761-D6BA35245E95}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A70000000000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AF226123-1A6F-4ec1-8DEF-E35E7A0D0127}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BC339BFD-F550-471a-8D26-4D08126C62F7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB83F10A-D02A-4aba-8843-ACAB50D48216}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CBE3E0AF-73BB-4c21-8B96-B09E003EDE7F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CEB82887-24F8-4932-918A-E941050A5FAA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D186329B-1B4D-408D-ABEC-EA5CE1F182C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DCAED88A-A604-4461-9F14-29E63A4A3151}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DE1AF137-C455-494A-A817-EFE44BCCFDEE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E8BFBD0A-8002-4dc9-869C-E495FA9DCE7A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9FD4156-60F4-47BD-B846-7B6C10C14D1B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EB7F9360-D541-4caf-A2D1-F00ADC9E9B47}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F1E29B0E-94A4-4304-B993-4829FC2ED56C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FB08F381-6533-4108-B7DD-039E11FBC27E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FBBF532A-47AC-457d-AC06-0D3163D8911E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FF102450-55AA-4AE1-ACE4-E271E2470C83}
Volume in drive C has no label.
Volume Serial Number is F47C-1168

Directory of C:\Documents and Settings\Mark\Application Data

07/27/2006 02:53 PM <DIR> ..
07/27/2006 02:53 PM <DIR> .
07/26/2006 09:38 PM <DIR> Ahead
07/26/2006 09:31 PM <DIR> Simple Star
07/25/2006 03:23 AM <DIR> My Games
07/24/2006 11:00 PM <DIR> uTorrent
07/24/2006 10:29 PM <DIR> Microsoft
03/05/2006 02:42 AM <DIR> Microsoft Games
02/01/2006 02:00 PM <DIR> Real
01/31/2006 01:18 PM <DIR> CiscoCAA
01/26/2006 01:20 AM <DIR> acccore
01/15/2006 02:35 PM <DIR> Talkback
01/15/2006 02:31 PM <DIR> Apple Computer
11/28/2005 01:18 AM <DIR> Google
11/13/2005 06:08 PM <DIR> Leadertech
10/29/2005 05:41 PM <DIR> Ruckus Network
10/19/2005 10:29 PM <DIR> Sun
10/19/2005 10:12 PM <DIR> ourTunes
10/17/2005 02:14 AM <DIR> .bittorrent
10/12/2005 12:58 PM <DIR> Help
10/06/2005 07:06 PM <DIR> AdobeAUM
10/06/2005 07:06 PM <DIR> Adobe
10/03/2005 12:45 PM <DIR> Lavasoft
10/02/2005 03:52 PM <DIR> AdobeUM
10/01/2005 03:53 PM <DIR> uqm
09/25/2005 04:05 PM <DIR> Mozilla
08/03/2005 02:02 AM <DIR> Macromedia
08/01/2005 04:08 PM <DIR> Identities
0 File(s) 0 bytes
28 Dir(s) 18,966,900,736 bytes free
Volume in drive C has no label.
Volume Serial Number is F47C-1168

Directory of C:\Documents and Settings\All Users\Application Data

07/27/2006 03:24 AM <DIR> Spybot - Search & Destroy
07/27/2006 03:09 AM <DIR> ..
07/27/2006 03:09 AM <DIR> .
07/26/2006 09:24 PM <DIR> Ahead
07/07/2006 11:45 PM <DIR> Support.com
04/25/2006 01:05 PM <DIR> Network Associates
02/11/2006 03:51 PM <DIR> Microsoft
01/26/2006 12:30 AM <DIR> Viewpoint
01/26/2006 12:30 AM <DIR> AOL
01/26/2006 12:29 AM <DIR> AOL Downloads
10/22/2005 04:48 PM <DIR> Apple Computer
08/03/2005 11:11 PM <DIR> Adobe
08/02/2005 07:25 PM <DIR> nView_Profiles
08/01/2005 04:53 PM <DIR> Windows Genuine Advantage
0 File(s) 0 bytes
14 Dir(s) 18,966,900,736 bytes free
Volume in drive C has no label.
Volume Serial Number is F47C-1168

Directory of C:\Program Files

08/01/2006 09:06 PM <DIR> Mozilla Firefox
08/01/2006 08:55 PM <DIR> ..
08/01/2006 08:55 PM <DIR> .
08/01/2006 04:37 PM <DIR> ToolBar888
08/01/2006 04:05 PM <DIR> ipwins
08/01/2006 04:00 PM <DIR> ewido anti-spyware 4.0
07/31/2006 02:59 PM <DIR> Common Files
07/28/2006 01:03 PM <DIR> InstallShield Installation Information
07/27/2006 03:57 AM <DIR> Bonjour
07/27/2006 03:13 AM <DIR> Spybot - Search & Destroy
07/26/2006 09:30 PM <DIR> Simple Star
07/26/2006 09:29 PM <DIR> ahead
07/25/2006 03:13 AM <DIR> Firaxis Games
07/25/2006 03:03 AM <DIR> PowerISO
07/25/2006 01:53 AM <DIR> TClock
07/25/2006 01:53 AM <DIR> D-Tools
07/25/2006 01:53 AM <DIR> iTunes
07/25/2006 01:53 AM <DIR> QuickTime
07/25/2006 01:53 AM <DIR> Internet Explorer
07/24/2006 11:23 PM <DIR> Roguescanfix
07/24/2006 10:52 PM <DIR> Cowabanga
07/24/2006 10:27 PM <DIR> Human Head Studios
07/08/2006 12:43 AM <DIR> Google
07/07/2006 11:45 PM <DIR> SupportSoft
07/07/2006 11:45 PM <DIR> Qwest QuickConnect
05/04/2006 06:07 AM <DIR> Microsoft Games
04/25/2006 01:05 PM <DIR> Network Associates
04/24/2006 02:17 PM <DIR> iPod
04/13/2006 12:28 PM <DIR> Outlook Express
03/05/2006 09:55 PM <DIR> Stardock
03/04/2006 04:26 PM <DIR> Warcraft III
02/27/2006 10:39 AM <DIR> Shiny
02/26/2006 02:34 PM <DIR> Winamp
02/18/2006 11:11 PM <DIR> GameSpy Arcade
02/15/2006 09:23 AM <DIR> Windows Media Player
02/12/2006 11:41 PM <DIR> Blubster
02/12/2006 02:28 PM <DIR> EA GAMES
02/03/2006 01:58 PM <DIR> Sierra On-Line
02/01/2006 01:57 PM <DIR> Real
01/26/2006 11:30 AM <DIR> AOL
01/26/2006 12:30 AM <DIR> AOD
01/26/2006 12:30 AM <DIR> Viewpoint
01/23/2006 10:57 AM <DIR> Black Isle
01/16/2006 11:21 AM <DIR> XviD
01/15/2006 12:23 AM <DIR> Cisco Systems
12/12/2005 10:15 AM <DIR> microsoft money 2005
11/27/2005 09:35 PM <DIR> Starcraft
11/25/2005 04:22 AM <DIR> DOSBox-0.63
10/29/2005 05:40 PM <DIR> Ruckus Player
10/19/2005 09:22 PM <DIR> Java
10/19/2005 09:20 PM <DIR> netbeans-4.1
10/18/2005 03:52 PM <DIR> WinRAR
10/17/2005 02:13 AM <DIR> BitTorrent
10/07/2005 12:59 PM <DIR> Online Services
10/07/2005 12:59 PM <DIR> Windows NT
10/03/2005 12:45 PM <DIR> Lavasoft
09/02/2005 02:06 AM <DIR> MyWay
09/02/2005 02:06 AM <DIR> WinMX
08/23/2005 04:43 PM <DIR> HP
08/21/2005 03:40 PM <DIR> Picture It! Premium 10
08/21/2005 03:32 PM <DIR> Microsoft Works
08/21/2005 03:31 PM <DIR> Microsoft ActiveSync
08/21/2005 03:31 PM <DIR> Microsoft Office
08/21/2005 03:26 PM <DIR> Microsoft Works Suite 2005
08/06/2005 09:49 PM <DIR> JavaSoft
08/03/2005 11:10 PM <DIR> Adobe
08/01/2005 04:58 PM <DIR> Messenger
08/01/2005 03:48 PM <DIR> Uninstall Information
08/01/2005 03:33 PM <DIR> xerox
08/01/2005 03:33 PM <DIR> microsoft frontpage
08/01/2005 03:31 PM <DIR> WindowsUpdate
08/01/2005 03:31 PM <DIR> NetMeeting
08/01/2005 03:30 PM <DIR> Movie Maker
08/01/2005 03:29 PM <DIR> ComPlus Applications
08/01/2005 03:29 PM <DIR> MSN Gaming Zone
08/01/2005 03:29 PM <DIR> MSN
0 File(s) 0 bytes
76 Dir(s) 18,966,896,640 bytes free
Volume in drive C has no label.
Volume Serial Number is F47C-1168

Directory of C:\Program Files\Common Files

08/01/2006 04:36 PM <DIR> {F47C1168-0898-1033-0205-050408050001}
07/31/2006 02:59 PM <DIR> ..
07/31/2006 02:59 PM <DIR> .
07/31/2006 03:59 AM <DIR> wurq
07/26/2006 09:26 PM <DIR> Ahead
04/25/2006 01:05 PM <DIR> Network Associates
04/24/2006 01:18 PM <DIR> xing shared
04/24/2006 01:18 PM <DIR> Real
04/13/2006 12:28 PM <DIR> System
03/05/2006 09:55 PM <DIR> Stardock
02/11/2006 03:52 PM <DIR> Microsoft Shared
01/26/2006 12:30 AM <DIR> AOL
01/26/2006 12:30 AM <DIR> Nullsoft
10/22/2005 04:48 PM <DIR> InstallShield
10/19/2005 09:15 PM <DIR> Java
08/23/2005 04:42 PM <DIR> Hewlett-Packard
08/23/2005 04:39 PM <DIR> HP
08/21/2005 03:31 PM <DIR> Designer
08/20/2005 01:17 PM <DIR> Cisco Systems
08/03/2005 11:11 PM <DIR> Adobe
08/01/2005 03:31 PM <DIR> Services
08/01/2005 03:30 PM <DIR> MSSoap
08/01/2005 09:19 AM <DIR> ODBC
08/01/2005 09:19 AM <DIR> SpeechEngines
0 File(s) 0 bytes
24 Dir(s) 18,966,163,456 bytes free





And here's what I got from the ewido report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:55:36 PM 8/1/2006

+ Scan result:



HKU\S-1-5-21-1123561945-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A} -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{873eb32d-ae1a-4183-89bd-45a77f761be4} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{873eb32d-ae1a-4183-89bd-45a77f761be4} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1123561945-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\awtspnk.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\quarantine\085A6C1Ad01.Vir/crack.exe -> Downloader.Agent.xq : Error during cleaning.
C:\quarantine\2b6bv53s.zip.Vir/crack.exe -> Downloader.Agent.xq : Error during cleaning.
C:\WINDOWS\Temp\win5FC.tmp.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win645.tmp.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win6D9.tmp.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win6F1.tmp.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win737.tmp.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win1B.tmp.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win5F3.tmp.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win5FC.tmp -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win6B3.tmp.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win6E4.tmp.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Program Files\Common Files\wurq\wurqp.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\wurq\wurqa.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\Program Files\Common Files\wurq\wurql.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ixt0.dll -> Downloader.Zlob.aas : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ixt1.dll -> Downloader.Zlob.aas : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\BCVPXX53\l11[1].exe -> Downloader.Zlob.aav : Cleaned with backup (quarantined).
C:\WINDOWS\system32\components\flx5.dll -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.173:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.174:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.175:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.178:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.179:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.180:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.181:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.182:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.183:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.188:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.189:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.190:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.191:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.192:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.193:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.194:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.195:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.196:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.197:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.198:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.199:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.200:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.201:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.202:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.203:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.204:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.205:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.206:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.207:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.208:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.209:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.210:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.211:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.212:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.213:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.445:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.460:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@cnn.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.233:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.234:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.235:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.629:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.767:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.768:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.769:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.707:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.708:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.807:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Belstat : Cleaned with backup (quarantined).
:mozilla.808:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Belstat : Cleaned with backup (quarantined).
:mozilla.809:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Belstat : Cleaned with backup (quarantined).
:mozilla.813:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.288:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.315:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.316:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.317:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.318:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.658:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.659:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.303:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.304:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.305:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Mark\Cookies\mark@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.310:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.311:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.312:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.313:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.720:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned with backup (quarantined).
:mozilla.129:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.323:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.142:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.143:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.258:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.259:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Fal

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:09 AM

Posted 02 August 2006 - 04:22 PM

Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

IpWins
ToolBar888
ViewpointMediaPlayer
Y1123Oin



Reboot your computer.



Delete these folders, if present.

C:\Program Files\ToolBar888
C:\Program Files\ipwins
C:\Program Files\TClock
C:\Program Files\Cowabanga
C:\Program Files\Viewpoint
C:\Program Files\Common Files\wurq



===============




Download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Hostis Deus

Hostis Deus
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 02 August 2006 - 09:08 PM

SmitFraudFix v2.79

Scan done at 20:03:06.98, Wed 08/02/2006
It all went well, except that I couldn't find Y1123Oin in the add/remove programs list.

Here's the SmitfraudFix Report:

Run from C:\Documents and Settings\Mark\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\Documents and Settings\Mark\Application Data


Start Menu


C:\DOCUME~1\Mark\FAVORI~1

C:\DOCUME~1\Mark\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:09 AM

Posted 04 August 2006 - 09:42 AM

Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.


1. Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
2. Run Smitfraud
  • Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
  • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.


    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
3. Clean out your Temporary Internet files
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start -> Control Panel and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
4. Next Click Start -> Control Panel and then double-click Display.
  • Click on the Desktop tab, then click the Customize Desktop button.
  • Click on the Web tab.
  • Under Web Pages you may see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button.
  • Click Ok then Apply and Ok.
5. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


6. Lauch Ewido-Anti-spyware by double-clicking the icon on your desktop.
  • IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.

  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido.
7. Reboot back into Normal Windows Mode


8. Run SmitfraudFix.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter


    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
9.Please Post the following logs:
  • c:\rapport.txt
  • Ewido log
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Hostis Deus

Hostis Deus
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 04 August 2006 - 04:43 PM

As I told you before, I can't restart in safe mode. The error message it gives me every time I try is the following:

"We apologize for the inconvenience, but Windows did not start successfully. A recent hardware or software chance might have caused this.

If your computer stopped responding, restarted unexpectedly, or was automatically shut down to protect your files or folders, choose Last Known Good Configuration to revert to the most recent settings that worked.

If a previous startup attempt was interrupted due to a power failure or because the power or reset button was pressed, or if you aren't sure what caused the problem, choose Start Windows Normally.

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Last Known Good Configuration (your most recent settings that worked)

Start Windows Normally

Use the up and down arrow keys to move the highlight to your choice."

I haven't made any changes to software or hardware myself since the last time I was able to start in Safe Mode. In fact, I started in safe mode to remove SpyWare Quake just two days before posting my HijackThis log.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:09 AM

Posted 04 August 2006 - 09:59 PM

I'm sorry. It's a canned speech and I forgot to edit it for you.

Run through the entire fix that I posted in normal mode.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Hostis Deus

Hostis Deus
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 04 August 2006 - 11:33 PM

Alright, it's all scanned and everything. Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:19 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1138257019\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ea104939.exe
C:\Program Files\Common Files\{F47C1168-0898-1033-0205-050408050001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138257019\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ea104939.exe] C:\WINDOWS\system32\ea104939.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\Program Files\InetGet2\MirarSetup_876072.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [wurq] C:\PROGRA~1\COMMON~1\wurq\wurqm.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ea104939.exe] C:\Documents and Settings\Mark\Local Settings\Application Data\ea104939.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetl...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122936399062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137306532125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



And rapport.txt:

SmitFraudFix v2.79

Scan done at 15:43:55.03, Fri 08/04/2006
Run from C:\Documents and Settings\Mark\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

Problem while deleting C:\WINDOWS\system32\ishost.exe
Problem while deleting C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
Problem while deleting C:\WINDOWS\system32\ixt?.dll
Problem while deleting C:\WINDOWS\system32\ixt??.dll
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\DOCUME~1\Mark\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Safety Bar\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


Reboot

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted

End



And finally, the Ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:21:31 PM 8/4/2006

+ Scan result:



HKU\S-1-5-21-1123561945-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : No action taken.
C:\quarantine\085A6C1Ad01.Vir/crack.exe -> Downloader.Agent.xq : No action taken.
C:\quarantine\2b6bv53s.zip.Vir/crack.exe -> Downloader.Agent.xq : No action taken.
C:\WINDOWS\Temp\win811.tmp.exe -> Downloader.Obfuscated.a : No action taken.
:mozilla.41:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.42:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.43:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.44:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.45:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.46:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.102:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.103:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.109:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.110:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.111:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.112:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.113:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.114:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.115:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.144:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.145:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.147:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.148:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.149:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.200:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.252:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Addynamix : No action taken.
:mozilla.181:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adengage : No action taken.
:mozilla.182:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adengage : No action taken.
:mozilla.183:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adengage : No action taken.
:mozilla.29:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.30:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.271:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.272:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.273:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.274:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.275:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.24:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.122:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.123:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.124:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.125:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.126:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.127:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.128:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.212:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.215:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.216:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.217:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cpvfeed : No action taken.
:mozilla.178:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Cqcounter : No action taken.
:mozilla.32:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.220:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.221:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.222:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.223:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.335:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.336:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.337:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.338:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.253:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.254:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.255:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.256:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.288:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.289:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.290:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.292:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.293:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.353:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.56:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Masterstats : No action taken.
:mozilla.40:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.249:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.250:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.251:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.257:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.258:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.62:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.63:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.64:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.65:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.66:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.67:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.100:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sextracker : No action taken.
:mozilla.101:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sextracker : No action taken.
:mozilla.83:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sextracker : No action taken.
:mozilla.84:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sextracker : No action taken.
:mozilla.85:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sextracker : No action taken.
:mozilla.86:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sextracker : No action taken.
:mozilla.87:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Sextracker : No action taken.
:mozilla.263:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.264:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.265:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.266:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.267:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.116:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.117:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.341:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.342:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.343:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.344:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.208:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.209:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.210:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.211:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.213:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.214:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.218:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.219:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.25:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.26:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.27:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.285:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Valueclick : No action taken.
:mozilla.244:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.330:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.331:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.332:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.333:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.334:C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\4tqd5y7k.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
C:\quarantine\yvcyeddj.exe.Vir -> Trojan.Agent.ny : No action taken.


::Report end

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:09 AM

Posted 05 August 2006 - 07:59 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [ea104939.exe] C:\WINDOWS\system32\ea104939.exe
O4 - HKLM\..\Run: [ToolbarInstall] C:\Program Files\InetGet2\MirarSetup_876072.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [wurq] C:\PROGRA~1\COMMON~1\wurq\wurqm.exe
O4 - HKCU\..\Run: [ea104939.exe] C:\Documents and Settings\Mark\Local Settings\Application Data\ea104939.exe



==================



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\ea104939.exe
    C:\Program Files\InetGet2\MirarSetup_876072.exe
    C:\Program Files\TClock\tclock_install.exe
    C:\PROGRA~1\COMMON~1\wurq\wurqm.exe
    C:\Documents and Settings\Mark\Local Settings\Application Data\ea104939.exe
    C:\Program Files\Common Files\{F47C1168-0898-1033-0205-050408050001}\Update.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============


Now delete these folders.

C:\Program Files\InetGet2
C:\Program Files\TClock
C:\Program Files\Common Files\wurq
C:\Program Files\Common Files\{F47C1168-0898-1033-0205-050408050001}



===============




Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Hostis Deus

Hostis Deus
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 06 August 2006 - 01:47 AM

Well, Atribune's website seems to be down, and I can't find VundoFix.exe anywhere. I posted the other logs below. I haven't seen any signs of further infection (yet... knock on wood), but I can't be certain I'm rid of everything just yet.

Here's the Killbox log:

Pocket Killbox version 2.0.0.648
Running on Windows XP as Mark(Administrator)
was started @ Sunday, August 06, 2006, 12:22 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\ea104939.exe


# 2 [Delete on Reboot]
Path = C:\Documents and Settings\Mark\Local Settings\Application Data\ea104939.exe


# 3 [Delete on Reboot]
Path = C:\Program Files\Common Files\{F47C1168-0898-1033-0205-050408050001}\Update.exe


I Rebooted @ 12:24:02 AM
Killbox Closed(Exit) @ 12:24:04 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Mark(Administrator)
was started @ Sunday, August 06, 2006, 12:42 AM



And the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:43:23 AM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1138257019\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138257019\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetl...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122936399062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137306532125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:09 AM

Posted 06 August 2006 - 08:12 AM

Vundofix is a vital step. That download is working for me now. Retry it and run that tool as soon as possible.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Hostis Deus

Hostis Deus
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 07 August 2006 - 12:11 AM

VundoFix didn't find anything:


VundoFix V5.1.7

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.5

Scan started at 11:05:02 PM 8/6/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users