Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Url.cpvfeed.com Popups Please Help Hijackthis Posted


  • This topic is locked This topic is locked
9 replies to this topic

#1 davisfoos

davisfoos

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 24 May 2007 - 09:22 AM

This has been a real pain for the last week. I hope I have came to the right place. Here is my hijackthis log and my ad-aware log

Logfile of HijackThis v1.99.1
Scan saved at 8:58:59 AM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\davisfoos\Desktop\hijackthis_sfx.exe
C:\PROGRAM FILES\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: UHaulMessenger.lnk = C:\Program Files\UHaul\UHaulMessenger\AppStart.exe
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174610496530
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://na.ntrsupport.com/inquiero/mod/setu...tivex118_24.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



Here is the ad-aware log

- <XoftSpy>
<Meta info="XoftSpySE-SP1 Tech-Support Log" time="24-05-2007-07-50-40" />
<SysInfo Operating-System="Win XP" Service-Pack="Service Pack 2" XoftSpy-Version="4.31" DB-Version="240" DB-Date="2007/5/23" Working-Dir="C:\Program Files\XoftSpySE\" License-Key="3D802-EA820-83614-BBB2C" Vendor-ID="1" Product-ID="1" Auto-DB-Update="on" Auto-Program-Update="on" Auto-Removal="on" Exit-When-Finished="on" />
<ScanSettings scanActive="true" scanRegistry="true" scanSysFolders="true" scanDrives="true" scanHosts="true" scanAdvScan="true" />
- <Processes>
<Process name="C:\WINDOWS\system32\services.exe" md5="c6ce6eec82f187615d1002bb3bb50ed4" />
<Process name="C:\WINDOWS\system32\lsass.exe" md5="84885f9b82f4d55c6146ebf6065d75d2" />
<Process name="C:\WINDOWS\system32\svchost.exe" md5="8f078ae4ed187aaabc0a305146de6716" />
<Process name="C:\WINDOWS\system32\svchost.exe" md5="8f078ae4ed187aaabc0a305146de6716" />
<Process name="C:\WINDOWS\System32\svchost.exe" md5="8f078ae4ed187aaabc0a305146de6716" />
<Process name="C:\WINDOWS\System32\svchost.exe" md5="8f078ae4ed187aaabc0a305146de6716" />
<Process name="C:\WINDOWS\System32\svchost.exe" md5="8f078ae4ed187aaabc0a305146de6716" />
<Process name="C:\WINDOWS\system32\spoolsv.exe" md5="da81ec57acd4cdc3d4c51cf3d409af9f" />
<Process name="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" md5="7e450e5199a0bddd6e8e8e1b9e53e7bd" />
<Process name="c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" md5="d07c9575726797b0e9069e1108a1c483" />
<Process name="C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" md5="344d8c9534f768b094c57c6a53fd165b" />
<Process name="C:\Program Files\Citrix\GoToMyPC\g2comm.exe" md5="1b42583626c722a89ad987e066b9c770" />
<Process name="C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe" md5="669dca0d24140ec9c2b4d70b90814352" />
<Process name="C:\Program Files\Citrix\GoToMyPC\g2pre.exe" md5="3cea3bbbff3b0e46490eda61cbbfbf19" />
<Process name="C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe" md5="48ed93aaee764fee0b54e94a916e69cf" />
<Process name="c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" md5="d2b096cd2f56fac6eeeed9a77ddf6dc8" />
<Process name="c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" md5="54902536aad0e9b99bc65f89c0caf93f" />
<Process name="C:\WINDOWS\System32\svchost.exe" md5="8f078ae4ed187aaabc0a305146de6716" />
<Process name="C:\WINDOWS\System32\wdfmgr.exe" md5="ab0a7ca90d9e3d6a193905dc1715ded0" />
<Process name="C:\Program Files\RealVNC\VNC4\WinVNC4.exe" md5="bda11f9ab8629313950cef60ec1dbe1d" />
<Process name="C:\Program Files\Citrix\GoToMyPC\g2tray.exe" md5="d668d13b2f7335a1d4e8d52612d53d16" />
<Process name="C:\WINDOWS\System32\alg.exe" md5="f1958fbf86d5c004cf19a5951a9514b7" />
<Process name="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" md5="38d198a2dd54a67120040566a38103ba" />
<Process name="C:\WINDOWS\system32\ctfmon.exe" md5="24232996a38c0b0cf151c2140ae29fc8" />
<Process name="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" md5="8af31d79097e3e6bef01758a56b6f264" />
<Process name="C:\WINDOWS\system32\wscntfy.exe" md5="49911dd39e023bb6c45e4e436cfbd297" />
<Process name="C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe" md5="1e51ae8e21c63e15e99914946c77f261" />
<Process name="C:\Program Files\Belkin\F1U201.401\usbshare.exe" md5="bb633ed02fe2e7fa8350b23656eeb970" />
<Process name="C:\WINDOWS\system32\devldr32.exe" md5="e96b10537eb5024273480554bfffe23d" />
<Process name="C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" md5="12c695f50229b71a0c9a7f876d6b24c1" />
<Process name="C:\Documents and Settings\davisfoos\Local Settings\Apps\2.0\6WHE9R48.VJP\93ATE3B4.Y8W\mrmo..tion_965f8d0e20ecf1b4_0004.0000_f4f6034928d412ee\Mr Mover Manager Version 4.exe" md5="ba97236a32de45de19ed9c928942a3f3" />
<Process name="C:\WINDOWS\explorer.exe" md5="a0732187050030ae399b241436565e64" />
<Process name="C:\Program Files\Internet Explorer\IEXPLORE.EXE" md5="683dde71bcf03b501b912d20cb93b549" />
<Process name="C:\PROGRA~1\MOZILL~1\FIREFOX.EXE" md5="7b4eff333f1b963812f6bedc06ca2758" />
<Process name="C:\Program Files\UHaul\UHaulMessenger\AppStart.exe" md5="743235ad3a96af606ab1007704eb40e4" />
<Process name="C:\Program Files\UHaul\UHaulMessenger\1.0.1.22\UHaulMessenger.exe" md5="2525bc0dc817fc49c3ceff86a3534676" />
<Process name="C:\Program Files\XoftSpySE\XoftSpy.exe" md5="4cc4ba503964d5040d9a5d27a59684f3" />
<Process name="C:\Program Files\Intuit\QuickBooks 2007\qbw32.exe" md5="7b6fa0621dab3e7a1cebd700d43d68d6" />
<Process name="C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe" md5="17914302964d3be6ca477db70b4f4870" />
</Processes>
- <Registry>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot">
<RegValue name="" type="REG_SZ" data="SYS:Microsoft\Windows NT\CurrentVersion\WOW\boot" />
<RegValue name="ScreenSaverActive" type="REG_SZ" data="USR:Control Panel\Desktop" />
<RegValue name="ScreenSaverIsSecure" type="REG_SZ" data="USR:Control Panel\Desktop" />
- <RegValue name="SCRNSAVE.EXE" type="REG_SZ" data="USR:Control Panel\Desktop">
<File name="SCRNSAVE.EXE" expanded-name="SCRNSAVE.EXE" md5="could not open file for md5 calculation" />
</RegValue>
<RegValue name="Shell" type="REG_SZ" data="SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" />
</RegKey>
- <RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings">
- <RegValue name="User Agent" type="REG_SZ" data="Mozilla/4.0 (compatible; MSIE 7.0; Win32)">
<File name="MSIE 7.0" expanded-name="MSIE 7.0" md5="could not open file for md5 calculation" />
</RegValue>
- <RegValue name="IE5_UA_Backup_Flag" type="REG_SZ" data="5.0">
<File name="5.0" expanded-name="5.0" md5="could not open file for md5 calculation" />
</RegValue>
<RegValue name="NoNetAutodial" type="REG_DWORD" data="0x00000000" />
<RegValue name="MigrateProxy" type="REG_DWORD" data="0x00000001" />
<RegValue name="EnableNegotiate" type="REG_DWORD" data="0x00000001" />
<RegValue name="ProxyEnable" type="REG_DWORD" data="0x00000000" />
<RegValue name="EmailName" type="REG_SZ" data="IEUser@" />
- <RegValue name="AutoConfigProxy" type="REG_SZ" data="wininet.dll">
<File name="wininet.dll" expanded-name="C:\WINDOWS\system32\wininet.dll" md5="5b35dae6e4886f64d1da58c4e3e01eb9" />
</RegValue>
<RegValue name="MimeExclusionListForCache" type="REG_SZ" data="multipart/mixed multipart/x-mixed-replace multipart/x-byteranges" />
<RegValue name="WarnOnPost" type="REG_BINARY" data="N/A" />
<RegValue name="UseSchannelDirectly" type="REG_BINARY" data="N/A" />
<RegValue name="EnableHttp1_1" type="REG_DWORD" data="0x00000001" />
<RegValue name="PrivacyAdvanced" type="REG_DWORD" data="0x00000000" />
<RegValue name="WarnOnZoneCrossing" type="REG_DWORD" data="0x00000000" />
<RegValue name="PrivDiscUiShown" type="REG_DWORD" data="0x00000001" />
<RegValue name="EnableAutodial" type="REG_DWORD" data="0x00000000" />
<RegValue name="UrlEncoding" type="REG_DWORD" data="0x00000000" />
<RegValue name="SecureProtocols" type="REG_DWORD" data="0x000000a0" />
<RegValue name="DisableCachingOfSSLPages" type="REG_DWORD" data="0x00000000" />
<RegValue name="CertificateRevocation" type="REG_DWORD" data="0x00000000" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafile\shell\open\command">
- <RegValue name="" type="REG_SZ" data="C:\WINDOWS\system32\mshta.exe "%1" %*">
<File name="C:\WINDOWS\system32\mshta.exe "%1" %*" expanded-name="C:\WINDOWS\system32\mshta.exe "%1" %*" md5="could not open file for md5 calculation" />
</RegValue>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\open\command">
<RegValue name="" type="REG_SZ" data=""%1" /S" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command">
<RegValue name="" type="REG_SZ" data=""%1" %*" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command">
<RegValue name="" type="REG_SZ" data=""%1" %*" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command">
<RegValue name="" type="REG_SZ" data=""%1" %*" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command">
<RegValue name="" type="REG_SZ" data=""%1" %*" />
</RegKey>
- <RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar">
<RegValue name="LinksFolderName" type="REG_SZ" data="Links" />
<RegValue name="Locked" type="REG_DWORD" data="0x00000001" />
<RegValue name="SaveLinksOrder" type="REG_BINARY" data="N/A" />
<RegValue name="ShowDiscussionButton" type="REG_SZ" data="Yes" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar">
- <RegValue name="{EF99BD32-C1FB-11D2-892F-0090271D4F88}" type="REG_BINARY" data="N/A">
- <ClassID value="{EF99BD32-C1FB-11D2-892F-0090271D4F88}" title="Yahoo! Toolbar" resolved-symbol="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll">
<File name="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" expanded-name="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" md5="2785037ce05b63d5607c9d5dfb2feee4" />
</ClassID>
</RegValue>
- <RegValue name="{259F616C-A300-44F5-B04A-ED001A26C85C}" type="REG_BINARY" data="N/A">
- <ClassID value="{259F616C-A300-44F5-B04A-ED001A26C85C}" title="Solid Converter PDF" resolved-symbol="C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll">
<File name="C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" expanded-name="C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" md5="08591c1b5f65c627cda8fcf78f304996" />
</ClassID>
</RegValue>
</RegKey>
- <RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks">
- <RegValue name="{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" type="REG_SZ" data="">
- <ClassID value="{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" title="Microsoft Url Search Hook" resolved-symbol="C:\WINDOWS\system32\ieframe.dll">
<File name="C:\WINDOWS\system32\ieframe.dll" expanded-name="C:\WINDOWS\system32\ieframe.dll" md5="fb79e24ce60a07c4e1e6584c9dadb9aa" />
</ClassID>
</RegValue>
- <RegValue name="{EF99BD32-C1FB-11D2-892F-0090271D4F88}" type="REG_SZ" data="">
- <ClassID value="{EF99BD32-C1FB-11D2-892F-0090271D4F88}" title="Yahoo! Toolbar" resolved-symbol="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll">
<File name="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" expanded-name="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" md5="2785037ce05b63d5607c9d5dfb2feee4" />
</ClassID>
</RegValue>
<RegValue name="" type="REG_SZ" data="" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects">
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}">
- <ClassID value="{02478D38-C3F9-4EFB-9B51-7695ECA05670}" title="Yahoo! Toolbar Helper" resolved-symbol="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll">
<File name="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" expanded-name="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" md5="2785037ce05b63d5607c9d5dfb2feee4" />
</ClassID>
<RegValue name="NoExplorer" type="REG_DWORD" data="0x00000001" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}">
- <ClassID value="{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" title="Adobe PDF Reader Link Helper" resolved-symbol="C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll">
<File name="C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" expanded-name="C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" md5="c11f6a1f61481e24be3fdc06ea6f7d2a" />
</ClassID>
<RegValue name="" type="REG_SZ" data="" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{259F616C-A300-44F5-B04A-ED001A26C85C}">
- <ClassID value="{259F616C-A300-44F5-B04A-ED001A26C85C}" title="Solid Converter PDF" resolved-symbol="C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll">
<File name="C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" expanded-name="C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" md5="08591c1b5f65c627cda8fcf78f304996" />
</ClassID>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}">
- <ClassID value="{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" title="Yahoo! IE Services Button" resolved-symbol="C:\Program Files\Yahoo!\Common\yiesrvc.dll">
<File name="C:\Program Files\Yahoo!\Common\yiesrvc.dll" expanded-name="C:\Program Files\Yahoo!\Common\yiesrvc.dll" md5="f8981f09e8da4fdb7f6b6e2b5361aeae" />
</ClassID>
<RegValue name="NoExplorer" type="REG_DWORD" data="0x00000001" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}">
- <ClassID value="{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" title="Groove GFS Browser Helper" resolved-symbol="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL">
<File name="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" expanded-name="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" md5="786dd1892b553efe5a004ac39775c851" />
</ClassID>
<RegValue name="" type="REG_SZ" data="" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}">
- <ClassID value="{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" title="SSVHelper Class" resolved-symbol="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll">
<File name="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" expanded-name="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" md5="38c5be22267a9236e79b1401b5d71d04" />
</ClassID>
<RegValue name="NoExplorer" type="REG_DWORD" data="0x00000001" />
</RegKey>
</RegKey>
<RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL" />
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search">
<RegValue name="SearchAssistant" type="REG_SZ" data="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm" />
<RegValue name="CustomizeSearch" type="REG_SZ" data="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main">
<RegValue name="Default_Page_URL" type="REG_SZ" data="http://go.microsoft.com/fwlink/?LinkId=69157" />
<RegValue name="Default_Search_URL" type="REG_SZ" data="http://go.microsoft.com/fwlink/?LinkId=54896" />
<RegValue name="Search Page" type="REG_SZ" data="http://www.msn.com" />
<RegValue name="Enable_Disk_Cache" type="REG_SZ" data="yes" />
<RegValue name="Cache_Percent_of_Disk" type="REG_BINARY" data="N/A" />
<RegValue name="Delete_Temp_Files_On_Exit" type="REG_SZ" data="yes" />
- <RegValue name="Local Page" type="REG_EXPAND_SZ" data="%SystemRoot%\system32\blank.htm">
<File name="%SystemRoot%\system32\blank.htm" expanded-name="C:\WINDOWS\system32\blank.htm" md5="could not open file for md5 calculation" />
</RegValue>
<RegValue name="Anchor_Visitation_Horizon" type="REG_BINARY" data="N/A" />
<RegValue name="Use_Async_DNS" type="REG_SZ" data="yes" />
<RegValue name="Placeholder_Width" type="REG_BINARY" data="N/A" />
<RegValue name="Placeholder_Height" type="REG_BINARY" data="N/A" />
<RegValue name="Start Page" type="REG_SZ" data="http://go.microsoft.com/fwlink/?LinkId=69157" />
<RegValue name="CompanyName" type="REG_SZ" data="Microsoft Corporation" />
<RegValue name="Custom_Key" type="REG_SZ" data="MICROSO" />
- <RegValue name="Wizard_Version" type="REG_SZ" data="6.0.2600.0000">
<File name="6.0.2600.0000" expanded-name="6.0.2600.0000" md5="could not open file for md5 calculation" />
</RegValue>
<RegValue name="FullScreen" type="REG_SZ" data="no" />
<RegValue name="Default_Secondary_Page_URL" type="REG_MULTI_SZ" data="" />
<RegValue name="Extensions Off Page" type="REG_SZ" data="about:NoAdd-ons" />
<RegValue name="Security Risk Page" type="REG_SZ" data="about:SecurityRisk" />
<RegValue name="Check_Associations" type="REG_SZ" data="yes" />
</RegKey>
- <RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main">
<RegValue name="NoUpdateCheck" type="REG_DWORD" data="0x00000001" />
<RegValue name="NoJITSetup" type="REG_DWORD" data="0x00000001" />
<RegValue name="Disable Script Debugger" type="REG_SZ" data="yes" />
<RegValue name="Show_ChannelBand" type="REG_SZ" data="No" />
<RegValue name="Anchor Underline" type="REG_SZ" data="yes" />
<RegValue name="Cache_Update_Frequency" type="REG_SZ" data="Once_Per_Session" />
<RegValue name="Display Inline Images" type="REG_SZ" data="yes" />
<RegValue name="Do404Search" type="REG_BINARY" data="N/A" />
- <RegValue name="Local Page" type="REG_SZ" data="C:\WINDOWS\system32\blank.htm">
<File name="C:\WINDOWS\system32\blank.htm" expanded-name="C:\WINDOWS\system32\blank.htm" md5="could not open file for md5 calculation" />
</RegValue>
<RegValue name="Save_Session_History_On_Exit" type="REG_SZ" data="no" />
<RegValue name="Show_FullURL" type="REG_SZ" data="no" />
<RegValue name="Show_StatusBar" type="REG_SZ" data="yes" />
<RegValue name="Show_ToolBar" type="REG_SZ" data="yes" />
<RegValue name="Show_URLinStatusBar" type="REG_SZ" data="yes" />
<RegValue name="Show_URLToolBar" type="REG_SZ" data="yes" />
<RegValue name="Start Page" type="REG_SZ" data="http://www.msn.com" />
<RegValue name="Use_DlgBox_Colors" type="REG_SZ" data="yes" />
<RegValue name="Search Page" type="REG_SZ" data="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch" />
<RegValue name="Check_Associations" type="REG_SZ" data="no" />
<RegValue name="NotifyDownloadComplete" type="REG_SZ" data="yes" />
<RegValue name="FullScreen" type="REG_SZ" data="no" />
<RegValue name="Window_Placement" type="REG_BINARY" data="N/A" />
<RegValue name="Use FormSuggest" type="REG_SZ" data="yes" />
<RegValue name="Error Dlg Displayed On Every Error" type="REG_SZ" data="no" />
<RegValue name="FormSuggest PW Ask" type="REG_SZ" data="no" />
<RegValue name="AutoSearch" type="REG_DWORD" data="0x00000005" />
<RegValue name="AddToFavoritesExpanded" type="REG_DWORD" data="0x00000000" />
<RegValue name="Use Search Asst" type="REG_SZ" data="" />
<RegValue name="Use Custom Search URL" type="REG_DWORD" data="0x00000000" />
<RegValue name="XMLHTTP" type="REG_DWORD" data="0x00000001" />
<RegValue name="UseClearType" type="REG_SZ" data="yes" />
<RegValue name="Enable Browser Extensions" type="REG_SZ" data="yes" />
<RegValue name="Play_Background_Sounds" type="REG_SZ" data="yes" />
<RegValue name="Play_Animations" type="REG_SZ" data="yes" />
<RegValue name="CompatibilityFlags" type="REG_DWORD" data="0x00000001" />
<RegValue name="SearchMigrated" type="REG_DWORD" data="0x00000001" />
<RegValue name="AlwaysShowMenus" type="REG_DWORD" data="0x00000001" />
<RegValue name="ShowedCheckBrowser" type="REG_SZ" data="Yes" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\OLE">
<RegValue name="DefaultLaunchPermission" type="REG_BINARY" data="N/A" />
<RegValue name="EnableDCOM" type="REG_SZ" data="Y" />
<RegValue name="MachineLaunchRestriction" type="REG_BINARY" data="N/A" />
<RegValue name="MachineAccessRestriction" type="REG_BINARY" data="N/A" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler">
- <RegValue name="{438755C2-A8BA-11D1-B96B-00A0C90312E1}" type="REG_SZ" data="Browseui preloader">
- <ClassID value="{438755C2-A8BA-11D1-B96B-00A0C90312E1}" title="Browseui preloader" resolved-symbol="%SystemRoot%\System32\browseui.dll">
<File name="C:\WINDOWS\System32\browseui.dll" expanded-name="C:\WINDOWS\System32\browseui.dll" md5="765faaf3eead18a47811ab23dbe4c095" />
</ClassID>
</RegValue>
- <RegValue name="{8C7461EF-2B13-11d2-BE35-3078302C2030}" type="REG_SZ" data="Component Categories cache daemon">
- <ClassID value="{8C7461EF-2B13-11d2-BE35-3078302C2030}" title="Component Categories cache daemon" resolved-symbol="%SystemRoot%\System32\browseui.dll">
<File name="C:\WINDOWS\System32\browseui.dll" expanded-name="C:\WINDOWS\System32\browseui.dll" md5="765faaf3eead18a47811ab23dbe4c095" />
</ClassID>
</RegValue>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad">
- <RegValue name="PostBootReminder" type="REG_SZ" data="{7849596a-48ea-486e-8937-a2a3009f31a9}">
- <ClassID value="{7849596a-48ea-486e-8937-a2a3009f31a9}" title="PostBootReminder object" resolved-symbol="%SystemRoot%\system32\SHELL32.dll">
<File name="C:\WINDOWS\system32\SHELL32.dll" expanded-name="C:\WINDOWS\system32\SHELL32.dll" md5="abfcbda41d2bd08baa1b0b2db558df03" />
</ClassID>
</RegValue>
- <RegValue name="CDBurn" type="REG_SZ" data="{fbeb8a05-beee-4442-804e-409d6c4515e9}">
- <ClassID value="{fbeb8a05-beee-4442-804e-409d6c4515e9}" title="ShellFolder for CD Burning" resolved-symbol="%SystemRoot%\system32\SHELL32.dll">
<File name="C:\WINDOWS\system32\SHELL32.dll" expanded-name="C:\WINDOWS\system32\SHELL32.dll" md5="abfcbda41d2bd08baa1b0b2db558df03" />
</ClassID>
</RegValue>
- <RegValue name="WebCheck" type="REG_SZ" data="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}">
- <ClassID value="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" title="WebCheck" resolved-symbol="C:\WINDOWS\system32\webcheck.dll">
<File name="C:\WINDOWS\system32\webcheck.dll" expanded-name="C:\WINDOWS\system32\webcheck.dll" md5="1ed509a3e73b2f98d53b8a9786d6bd29" />
</ClassID>
</RegValue>
- <RegValue name="SysTray" type="REG_SZ" data="{35CEC8A3-2BE6-11D2-8773-92E220524153}">
- <ClassID value="{35CEC8A3-2BE6-11D2-8773-92E220524153}" title="SysTray" resolved-symbol="C:\WINDOWS\System32\stobject.dll">
<File name="C:\WINDOWS\System32\stobject.dll" expanded-name="C:\WINDOWS\System32\stobject.dll" md5="297101a925ecffdcdf7f6341ffbb6c1a" />
</ClassID>
</RegValue>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows">
<RegValue name="AppInit_DLLs" type="REG_SZ" data="" />
<RegValue name="DeviceNotSelectedTimeout" type="REG_SZ" data="15" />
<RegValue name="GDIProcessHandleQuota" type="REG_DWORD" data="0x00002710" />
<RegValue name="Spooler" type="REG_SZ" data="yes" />
<RegValue name="swapdisk" type="REG_SZ" data="" />
<RegValue name="TransmissionRetryTimeout" type="REG_SZ" data="90" />
<RegValue name="USERProcessHandleQuota" type="REG_DWORD" data="0x00002710" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify">
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon">
- <RegValue name="DllName" type="REG_SZ" data="C:\Program Files\SUPERAntiSpyware\SASWINLO.dll">
<File name="C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" expanded-name="C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" md5="3b2f85d8c913ce452ade4a0d24299fea" />
</RegValue>
<RegValue name="Logon" type="REG_SZ" data="SABWINLOLogon" />
<RegValue name="Logoff" type="REG_SZ" data="SABWINLOLogoff" />
<RegValue name="Startup" type="REG_SZ" data="SABWINLOStartup" />
<RegValue name="Shutdown" type="REG_SZ" data="SABWINLOShutdown" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain">
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="crypt32.dll">
<File name="crypt32.dll" expanded-name="C:\WINDOWS\system32\crypt32.dll" md5="efc958396a7a7ef7e6d4a52b97512e18" />
</RegValue>
<RegValue name="Logoff" type="REG_SZ" data="ChainWlxLogoffEvent" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet">
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="cryptnet.dll">
<File name="cryptnet.dll" expanded-name="C:\WINDOWS\system32\cryptnet.dll" md5="cad4aa32e7eca00c23cc39c0eb833f9d" />
</RegValue>
<RegValue name="Logoff" type="REG_SZ" data="CryptnetWlxLogoffEvent" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll">
- <RegValue name="DLLName" type="REG_SZ" data="cscdll.dll">
<File name="cscdll.dll" expanded-name="C:\WINDOWS\system32\cscdll.dll" md5="587729679b4fe04ce06a5c61d6c56dcd" />
</RegValue>
<RegValue name="Logon" type="REG_SZ" data="WinlogonLogonEvent" />
<RegValue name="Logoff" type="REG_SZ" data="WinlogonLogoffEvent" />
<RegValue name="ScreenSaver" type="REG_SZ" data="WinlogonScreenSaverEvent" />
<RegValue name="Startup" type="REG_SZ" data="WinlogonStartupEvent" />
<RegValue name="Shutdown" type="REG_SZ" data="WinlogonShutdownEvent" />
<RegValue name="StartShell" type="REG_SZ" data="WinlogonStartShellEvent" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToMyPC">
- <RegValue name="DLLName" type="REG_SZ" data="C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll">
<File name="C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll" expanded-name="C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll" md5="305bd1c6cb228f39c926ad2e466cc18f" />
</RegValue>
<RegValue name="Logoff" type="REG_SZ" data="G2Logoff" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="Logon" type="REG_SZ" data="G2Logon" />
<RegValue name="Startup" type="REG_SZ" data="G2Startup" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="Shutdown" type="REG_SZ" data="G2Shutdown" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp">
- <RegValue name="DLLName" type="REG_SZ" data="wlnotify.dll">
<File name="wlnotify.dll" expanded-name="C:\WINDOWS\system32\wlnotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Logon" type="REG_SZ" data="SCardStartCertProp" />
<RegValue name="Logoff" type="REG_SZ" data="SCardStopCertProp" />
<RegValue name="Lock" type="REG_SZ" data="SCardSuspendCertProp" />
<RegValue name="Unlock" type="REG_SZ" data="SCardResumeCertProp" />
<RegValue name="Enabled" type="REG_DWORD" data="0x00000001" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000001" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule">
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="wlnotify.dll">
<File name="wlnotify.dll" expanded-name="C:\WINDOWS\system32\wlnotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="StartShell" type="REG_SZ" data="SchedStartShell" />
<RegValue name="Logoff" type="REG_SZ" data="SchedEventLogOff" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy">
<RegValue name="Logoff" type="REG_SZ" data="WLEventLogoff" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="sclgntfy.dll">
<File name="sclgntfy.dll" expanded-name="C:\WINDOWS\system32\sclgntfy.dll" md5="d636fa41e50671160d838ea2dace3330" />
</RegValue>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn">
- <RegValue name="DLLName" type="REG_SZ" data="WlNotify.dll">
<File name="WlNotify.dll" expanded-name="C:\WINDOWS\system32\WlNotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Lock" type="REG_SZ" data="SensLockEvent" />
<RegValue name="Logon" type="REG_SZ" data="SensLogonEvent" />
<RegValue name="Logoff" type="REG_SZ" data="SensLogoffEvent" />
<RegValue name="Safe" type="REG_DWORD" data="0x00000001" />
<RegValue name="MaxWait" type="REG_DWORD" data="0x00000258" />
<RegValue name="StartScreenSaver" type="REG_SZ" data="SensStartScreenSaverEvent" />
<RegValue name="StopScreenSaver" type="REG_SZ" data="SensStopScreenSaverEvent" />
<RegValue name="Startup" type="REG_SZ" data="SensStartupEvent" />
<RegValue name="Shutdown" type="REG_SZ" data="SensShutdownEvent" />
<RegValue name="StartShell" type="REG_SZ" data="SensStartShellEvent" />
<RegValue name="PostShell" type="REG_SZ" data="SensPostShellEvent" />
<RegValue name="Disconnect" type="REG_SZ" data="SensDisconnectEvent" />
<RegValue name="Reconnect" type="REG_SZ" data="SensReconnectEvent" />
<RegValue name="Unlock" type="REG_SZ" data="SensUnlockEvent" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000001" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv">
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="wlnotify.dll">
<File name="wlnotify.dll" expanded-name="C:\WINDOWS\system32\wlnotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="Logoff" type="REG_SZ" data="TSEventLogoff" />
<RegValue name="Logon" type="REG_SZ" data="TSEventLogon" />
<RegValue name="PostShell" type="REG_SZ" data="TSEventPostShell" />
<RegValue name="Shutdown" type="REG_SZ" data="TSEventShutdown" />
<RegValue name="StartShell" type="REG_SZ" data="TSEventStartShell" />
<RegValue name="Startup" type="REG_SZ" data="TSEventStartup" />
<RegValue name="MaxWait" type="REG_DWORD" data="0x00000258" />
<RegValue name="Reconnect" type="REG_SZ" data="TSEventReconnect" />
<RegValue name="Disconnect" type="REG_SZ" data="TSEventDisconnect" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon">
<RegValue name="Logon" type="REG_SZ" data="WLEventLogon" />
<RegValue name="Logoff" type="REG_SZ" data="WLEventLogoff" />
<RegValue name="Startup" type="REG_SZ" data="WLEventStartup" />
<RegValue name="Shutdown" type="REG_SZ" data="WLEventShutdown" />
<RegValue name="StartScreenSaver" type="REG_SZ" data="WLEventStartScreenSaver" />
<RegValue name="StopScreenSaver" type="REG_SZ" data="WLEventStopScreenSaver" />
<RegValue name="Lock" type="REG_SZ" data="WLEventLock" />
<RegValue name="Unlock" type="REG_SZ" data="WLEventUnlock" />
<RegValue name="StartShell" type="REG_SZ" data="WLEventStartShell" />
<RegValue name="PostShell" type="REG_SZ" data="WLEventPostShell" />
<RegValue name="Disconnect" type="REG_SZ" data="WLEventDisconnect" />
<RegValue name="Reconnect" type="REG_SZ" data="WLEventReconnect" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000001" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="SafeMode" type="REG_DWORD" data="0x00000001" />
<RegValue name="MaxWait" type="REG_DWORD" data="0xffffffff" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="WgaLogon.dll">
<File name="WgaLogon.dll" expanded-name="C:\WINDOWS\system32\WgaLogon.dll" md5="d7dcfb4d0c58ffb569de93e1681fd37a" />
</RegValue>
<RegValue name="Event" type="REG_DWORD" data="0x00000000" />
<RegValue name="EulaAccepted" type="REG_DWORD" data="0x00000001" />
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings">
<RegValue name="Data" type="REG_BINARY" data="N/A" />
</RegKey>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon">
- <RegValue name="DLLName" type="REG_SZ" data="wlnotify.dll">
<File name="wlnotify.dll" expanded-name="C:\WINDOWS\system32\wlnotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Logon" type="REG_SZ" data="RegisterTicketExpiredNotificationEvent" />
<RegValue name="Logoff" type="REG_SZ" data="UnregisterTicketExpiredNotificationEvent" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000001" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
</RegKey>
</RegKey>
- <RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows">
<RegValue name="DebugOptions" type="REG_SZ" data="2048" />
<RegValue name="Documents" type="REG_SZ" data="" />
<RegValue name="DosPrint" type="REG_SZ" data="no" />
<RegValue name="load" type="REG_SZ" data="" />
<RegValue name="NetMessage" type="REG_SZ" data="no" />
<RegValue name="NullPort" type="REG_SZ" data="None" />
<RegValue name="Programs" type="REG_SZ" data="com exe bat pif cmd" />
<RegValue name="Device" type="REG_SZ" data="\\PATTSMOVING\Samsung CLP-300 Series,winspool,Ne06:" />
</RegKey>
- <RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows">
<RegValue name="DebugOptions" type="REG_SZ" data="2048" />
<RegValue name="Documents" type="REG_SZ" data="" />
<RegValue name="DosPrint" type="REG_SZ" data="no" />
<RegValue name="load" type="REG_SZ" data="" />
<RegValue name="NetMessage" type="REG_SZ" data="no" />
<RegValue name="NullPort" type="REG_SZ" data="None" />
<RegValue name="Programs" type="REG_SZ" data="com exe bat pif cmd" />
<RegValue name="Device" type="REG_SZ" data="\\PATTSMOVING\Samsung CLP-300 Series,winspool,Ne06:" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify">
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon">
- <RegValue name="DllName" type="REG_SZ" data="C:\Program Files\SUPERAntiSpyware\SASWINLO.dll">
<File name="C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" expanded-name="C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" md5="3b2f85d8c913ce452ade4a0d24299fea" />
</RegValue>
<RegValue name="Logon" type="REG_SZ" data="SABWINLOLogon" />
<RegValue name="Logoff" type="REG_SZ" data="SABWINLOLogoff" />
<RegValue name="Startup" type="REG_SZ" data="SABWINLOStartup" />
<RegValue name="Shutdown" type="REG_SZ" data="SABWINLOShutdown" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain">
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="crypt32.dll">
<File name="crypt32.dll" expanded-name="C:\WINDOWS\system32\crypt32.dll" md5="efc958396a7a7ef7e6d4a52b97512e18" />
</RegValue>
<RegValue name="Logoff" type="REG_SZ" data="ChainWlxLogoffEvent" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet">
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="cryptnet.dll">
<File name="cryptnet.dll" expanded-name="C:\WINDOWS\system32\cryptnet.dll" md5="cad4aa32e7eca00c23cc39c0eb833f9d" />
</RegValue>
<RegValue name="Logoff" type="REG_SZ" data="CryptnetWlxLogoffEvent" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll">
- <RegValue name="DLLName" type="REG_SZ" data="cscdll.dll">
<File name="cscdll.dll" expanded-name="C:\WINDOWS\system32\cscdll.dll" md5="587729679b4fe04ce06a5c61d6c56dcd" />
</RegValue>
<RegValue name="Logon" type="REG_SZ" data="WinlogonLogonEvent" />
<RegValue name="Logoff" type="REG_SZ" data="WinlogonLogoffEvent" />
<RegValue name="ScreenSaver" type="REG_SZ" data="WinlogonScreenSaverEvent" />
<RegValue name="Startup" type="REG_SZ" data="WinlogonStartupEvent" />
<RegValue name="Shutdown" type="REG_SZ" data="WinlogonShutdownEvent" />
<RegValue name="StartShell" type="REG_SZ" data="WinlogonStartShellEvent" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToMyPC">
- <RegValue name="DLLName" type="REG_SZ" data="C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll">
<File name="C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll" expanded-name="C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll" md5="305bd1c6cb228f39c926ad2e466cc18f" />
</RegValue>
<RegValue name="Logoff" type="REG_SZ" data="G2Logoff" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="Logon" type="REG_SZ" data="G2Logon" />
<RegValue name="Startup" type="REG_SZ" data="G2Startup" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="Shutdown" type="REG_SZ" data="G2Shutdown" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp">
- <RegValue name="DLLName" type="REG_SZ" data="wlnotify.dll">
<File name="wlnotify.dll" expanded-name="C:\WINDOWS\system32\wlnotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Logon" type="REG_SZ" data="SCardStartCertProp" />
<RegValue name="Logoff" type="REG_SZ" data="SCardStopCertProp" />
<RegValue name="Lock" type="REG_SZ" data="SCardSuspendCertProp" />
<RegValue name="Unlock" type="REG_SZ" data="SCardResumeCertProp" />
<RegValue name="Enabled" type="REG_DWORD" data="0x00000001" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000001" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule">
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="wlnotify.dll">
<File name="wlnotify.dll" expanded-name="C:\WINDOWS\system32\wlnotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="StartShell" type="REG_SZ" data="SchedStartShell" />
<RegValue name="Logoff" type="REG_SZ" data="SchedEventLogOff" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy">
<RegValue name="Logoff" type="REG_SZ" data="WLEventLogoff" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="sclgntfy.dll">
<File name="sclgntfy.dll" expanded-name="C:\WINDOWS\system32\sclgntfy.dll" md5="d636fa41e50671160d838ea2dace3330" />
</RegValue>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn">
- <RegValue name="DLLName" type="REG_SZ" data="WlNotify.dll">
<File name="WlNotify.dll" expanded-name="C:\WINDOWS\system32\WlNotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Lock" type="REG_SZ" data="SensLockEvent" />
<RegValue name="Logon" type="REG_SZ" data="SensLogonEvent" />
<RegValue name="Logoff" type="REG_SZ" data="SensLogoffEvent" />
<RegValue name="Safe" type="REG_DWORD" data="0x00000001" />
<RegValue name="MaxWait" type="REG_DWORD" data="0x00000258" />
<RegValue name="StartScreenSaver" type="REG_SZ" data="SensStartScreenSaverEvent" />
<RegValue name="StopScreenSaver" type="REG_SZ" data="SensStopScreenSaverEvent" />
<RegValue name="Startup" type="REG_SZ" data="SensStartupEvent" />
<RegValue name="Shutdown" type="REG_SZ" data="SensShutdownEvent" />
<RegValue name="StartShell" type="REG_SZ" data="SensStartShellEvent" />
<RegValue name="PostShell" type="REG_SZ" data="SensPostShellEvent" />
<RegValue name="Disconnect" type="REG_SZ" data="SensDisconnectEvent" />
<RegValue name="Reconnect" type="REG_SZ" data="SensReconnectEvent" />
<RegValue name="Unlock" type="REG_SZ" data="SensUnlockEvent" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000001" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv">
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="wlnotify.dll">
<File name="wlnotify.dll" expanded-name="C:\WINDOWS\system32\wlnotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000000" />
<RegValue name="Logoff" type="REG_SZ" data="TSEventLogoff" />
<RegValue name="Logon" type="REG_SZ" data="TSEventLogon" />
<RegValue name="PostShell" type="REG_SZ" data="TSEventPostShell" />
<RegValue name="Shutdown" type="REG_SZ" data="TSEventShutdown" />
<RegValue name="StartShell" type="REG_SZ" data="TSEventStartShell" />
<RegValue name="Startup" type="REG_SZ" data="TSEventStartup" />
<RegValue name="MaxWait" type="REG_DWORD" data="0x00000258" />
<RegValue name="Reconnect" type="REG_SZ" data="TSEventReconnect" />
<RegValue name="Disconnect" type="REG_SZ" data="TSEventDisconnect" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon">
<RegValue name="Logon" type="REG_SZ" data="WLEventLogon" />
<RegValue name="Logoff" type="REG_SZ" data="WLEventLogoff" />
<RegValue name="Startup" type="REG_SZ" data="WLEventStartup" />
<RegValue name="Shutdown" type="REG_SZ" data="WLEventShutdown" />
<RegValue name="StartScreenSaver" type="REG_SZ" data="WLEventStartScreenSaver" />
<RegValue name="StopScreenSaver" type="REG_SZ" data="WLEventStopScreenSaver" />
<RegValue name="Lock" type="REG_SZ" data="WLEventLock" />
<RegValue name="Unlock" type="REG_SZ" data="WLEventUnlock" />
<RegValue name="StartShell" type="REG_SZ" data="WLEventStartShell" />
<RegValue name="PostShell" type="REG_SZ" data="WLEventPostShell" />
<RegValue name="Disconnect" type="REG_SZ" data="WLEventDisconnect" />
<RegValue name="Reconnect" type="REG_SZ" data="WLEventReconnect" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000001" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000000" />
<RegValue name="SafeMode" type="REG_DWORD" data="0x00000001" />
<RegValue name="MaxWait" type="REG_DWORD" data="0xffffffff" />
- <RegValue name="DllName" type="REG_EXPAND_SZ" data="WgaLogon.dll">
<File name="WgaLogon.dll" expanded-name="C:\WINDOWS\system32\WgaLogon.dll" md5="d7dcfb4d0c58ffb569de93e1681fd37a" />
</RegValue>
<RegValue name="Event" type="REG_DWORD" data="0x00000000" />
<RegValue name="EulaAccepted" type="REG_DWORD" data="0x00000001" />
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings">
<RegValue name="Data" type="REG_BINARY" data="N/A" />
</RegKey>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon">
- <RegValue name="DLLName" type="REG_SZ" data="wlnotify.dll">
<File name="wlnotify.dll" expanded-name="C:\WINDOWS\system32\wlnotify.dll" md5="a599e5e366c1408e48aa5d37882d4e3e" />
</RegValue>
<RegValue name="Logon" type="REG_SZ" data="RegisterTicketExpiredNotificationEvent" />
<RegValue name="Logoff" type="REG_SZ" data="UnregisterTicketExpiredNotificationEvent" />
<RegValue name="Impersonate" type="REG_DWORD" data="0x00000001" />
<RegValue name="Asynchronous" type="REG_DWORD" data="0x00000001" />
</RegKey>
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon">
<RegValue name="AutoRestartShell" type="REG_DWORD" data="0x00000001" />
<RegValue name="DefaultDomainName" type="REG_SZ" data="DAVIS" />
<RegValue name="DefaultUserName" type="REG_SZ" data="davisfoos" />
<RegValue name="LegalNoticeCaption" type="REG_SZ" data="" />
<RegValue name="LegalNoticeText" type="REG_SZ" data="" />
<RegValue name="PowerdownAfterShutdown" type="REG_SZ" data="0" />
<RegValue name="ReportBootOk" type="REG_SZ" data="1" />
- <RegValue name="Shell" type="REG_SZ" data="Explorer.exe">
<File name="Explorer.exe" expanded-name="C:\WINDOWS\Explorer.exe" md5="a0732187050030ae399b241436565e64" />
</RegValue>
<RegValue name="ShutdownWithoutLogon" type="REG_SZ" data="0" />
<RegValue name="System" type="REG_SZ" data="" />
- <RegValue name="Userinit" type="REG_SZ" data="C:\WINDOWS\system32\userinit.exe,">
<File name="C:\WINDOWS\system32\userinit.exe" expanded-name="C:\WINDOWS\system32\userinit.exe" md5="39b1ffb03c2296323832acbae50d2aff" />
</RegValue>
- <RegValue name="VmApplet" type="REG_SZ" data="rundll32 shell32,Control_RunDLL "sysdm.cpl"">
<File name="Control_RunDLL "sysdm.cpl"" expanded-name="Control_RunDLL "sysdm.cpl"" md5="could not open file for md5 calculation" />
</RegValue>
<RegValue name="SfcQuota" type="REG_DWORD" data="0xffffffff" />
<RegValue name="allocatecdroms" type="REG_SZ" data="0" />
<RegValue name="allocatedasd" type="REG_SZ" data="0" />
<RegValue name="allocatefloppies" type="REG_SZ" data="0" />
<RegValue name="cachedlogonscount" type="REG_SZ" data="10" />
<RegValue name="forceunlocklogon" type="REG_DWORD" data="0x00000000" />
<RegValue name="passwordexpirywarning" type="REG_DWORD" data="0x0000000e" />
<RegValue name="scremoveoption" type="REG_SZ" data="0" />
<RegValue name="AllowMultipleTSSessions" type="REG_DWORD" data="0x00000001" />
- <RegValue name="UIHost" type="REG_EXPAND_SZ" data="logonui.exe">
<File name="logonui.exe" expanded-name="C:\WINDOWS\system32\logonui.exe" md5="7db59fff2af32c27eb2276424fa5eddb" />
</RegValue>
<RegValue name="LogonType" type="REG_DWORD" data="0x00000001" />
<RegValue name="Background" type="REG_SZ" data="0 0 0" />
<RegValue name="DebugServerCommand" type="REG_SZ" data="no" />
<RegValue name="SFCDisable" type="REG_DWORD" data="0x00000000" />
<RegValue name="WinStationsDisabled" type="REG_SZ" data="0" />
<RegValue name="HibernationPreviouslyEnabled" type="REG_DWORD" data="0x00000001" />
<RegValue name="ShowLogonOptions" type="REG_DWORD" data="0x00000000" />
<RegValue name="AltDefaultUserName" type="REG_SZ" data="davisfoos" />
<RegValue name="AltDefaultDomainName" type="REG_SZ" data="DAVIS" />
</RegKey>
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon">
<RegValue name="AutoRestartShell" type="REG_DWORD" data="0x00000001" />
<RegValue name="DefaultDomainName" type="REG_SZ" data="DAVIS" />
<RegValue name="DefaultUserName" type="REG_SZ" data="davisfoos" />
<RegValue name="LegalNoticeCaption" type="REG_SZ" data="" />
<RegValue name="LegalNoticeText" type="REG_SZ" data="" />
<RegValue name="PowerdownAfterShutdown" type="REG_SZ" data="0" />
<RegValue name="ReportBootOk" type="REG_SZ" data="1" />
- <RegValue name="Shell" type="REG_SZ" data="Explorer.exe">
<File name="Explorer.exe" expanded-name="C:\WINDOWS\Explorer.exe" md5="a0732187050030ae399b241436565e64" />
</RegValue>
<RegValue name="ShutdownWithoutLogon" type="REG_SZ" data="0" />
<RegValue name="System" type="REG_SZ" data="" />
- <RegValue name="Userinit" type="REG_SZ" data="C:\WINDOWS\system32\userinit.exe,">
<File name="C:\WINDOWS\system32\userinit.exe" expanded-name="C:\WINDOWS\system32\userinit.exe" md5="39b1ffb03c2296323832acbae50d2aff" />
</RegValue>
- <RegValue name="VmApplet" type="REG_SZ" data="rundll32 shell32,Control_RunDLL "sysdm.cpl"">
<File name="Control_RunDLL "sysdm.cpl"" expanded-name="Control_RunDLL "sysdm.cpl"" md5="could not open file for md5 calculation" />
</RegValue>
<RegValue name="SfcQuota" type="REG_DWORD" data="0xffffffff" />
<RegValue name="allocatecdroms" type="REG_SZ" data="0" />
<RegValue name="allocatedasd" type="REG_SZ" data="0" />
<RegValue name="allocatefloppies" type="REG_SZ" data="0" />
<RegValue name="cachedlogonscount" type="REG_SZ" data="10" />
<RegValue name="forceunlocklogon" type="REG_DWORD" data="0x00000000" />
<RegValue name="passwordexpirywarning" type="REG_DWORD" data="0x0000000e" />
<RegValue name="scremoveoption" type="REG_SZ" data="0" />
<RegValue name="AllowMultipleTSSessions" type="REG_DWORD" data="0x00000001" />
- <RegValue name="UIHost" type="REG_EXPAND_SZ" data="logonui.exe">
<File name="logonui.exe" expanded-name="C:\WINDOWS\system32\logonui.exe" md5="7db59fff2af32c27eb2276424fa5eddb" />
</RegValue>
<RegValue name="LogonType" type="REG_DWORD" data="0x00000001" />
<RegValue name="Background" type="REG_SZ" data="0 0 0" />
<RegValue name="DebugServerCommand" type="REG_SZ" data="no" />
<RegValue name="SFCDisable" type="REG_DWORD" data="0x00000000" />
<RegValue name="WinStationsDisabled" type="REG_SZ" data="0" />
<RegValue name="HibernationPreviouslyEnabled" type="REG_DWORD" data="0x00000001" />
<RegValue name="ShowLogonOptions" type="REG_DWORD" data="0x00000000" />
<RegValue name="AltDefaultUserName" type="REG_SZ" data="davisfoos" />
<RegValue name="AltDefaultDomainName" type="REG_SZ" data="DAVIS" />
</RegKey>
<RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" />
- <RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run">
- <RegValue name="GrooveMonitor" type="REG_SZ" data=""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"">
<File name=""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" expanded-name="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" md5="could not open file for md5 calculation" />
</RegValue>
- <RegValue name="GoToMyPC" type="REG_SZ" data="C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon">
<File name="C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon" expanded-name="C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon" md5="7e450e5199a0bddd6e8e8e1b9e53e7bd" />
</RegValue>
</RegKey>
- <RegKey name="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run">
<RegValue name="Yahoo! Pager" type="REG_SZ" data=""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" />
- <RegValue name="ctfmon.exe" type="REG_SZ" data="C:\WINDOWS\system32\ctfmon.exe">
<File name="C:\WINDOWS\system32\ctfmon.exe" expanded-name="C:\WINDOWS\system32\ctfmon.exe" md5="24232996a38c0b0cf151c2140ae29fc8" />
<File name="ctfmon.exe" expanded-name="C:\WINDOWS\system32\ctfmon.exe" md5="24232996a38c0b0cf151c2140ae29fc8" />
</RegValue>
- <RegValue name="SUPERAntiSpyware" type="REG_SZ" data="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe">
<File name="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" expanded-name="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" md5="8af31d79097e3e6bef01758a56b6f264" />
</RegValue>
</RegKey>
<RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" />
<RegKey name="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" />
</Registry>
- <FileSystem>
- <Directory name="C:\Documents and Settings\All Users\Start Menu\Programs\Startup" expanded-name="C:\Documents and Settings\All Users\Start Menu\Programs\Startup">
<File name="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini" expanded-name="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini" md5="d6a6856702e3f0953e7246a9b4a9fe35" />
<File name="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\F1U201.401.lnk" expanded-name="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\F1U201.401.lnk" md5="b0f37af36d2fa10d4f5340dfad11466c" />
<File name="C:\Program Files\Belkin\F1U201.401\usbshare.exe" expanded-name="C:\Program Files\Belkin\F1U201.401\usbshare.exe" md5="bb633ed02fe2e7fa8350b23656eeb970" />
<File name="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk" expanded-name="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk" md5="6e5a2c53ec9d60edbf8b9f96649b530e" />
<File name="C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" expanded-name="C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" md5="12c695f50229b71a0c9a7f876d6b24c1" />
</Directory>
- <Directory name="C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup" expanded-name="C:\Documents and Settings\davisfoos\Start Menu\Programs\Startup">
<File name="C:\Documents and Settings\davisfoos\Start Menu\Programs\Startup\desktop.ini" expanded-name="C:\Documents and Settings\davisfoos\Start Menu\Programs\Startup\desktop.ini" md5="d6a6856702e3f0953e7246a9b4a9fe35" />
<File name="C:\Documents and Settings\davisfoos\Start Menu\Programs\Startup\UHaulMessenger.lnk" expanded-name="C:\Documents and Settings\davisfoos\Start Menu\Programs\Startup\UHaulMessenger.lnk" md5="8f17426ee5d6757dd71bea6bd999f89e" />
<File name="C:\Program Files\UHaul\UHaulMessenger\AppStart.exe" expanded-name="C:\Program Files\UHaul\UHaulMessenger\AppStart.exe" md5="743235ad3a96af606ab1007704eb40e4" />
</Directory>
</FileSystem>
- <Debug>
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@2o7[1].txt" system-message="There are no more files." malwareName="2o7.net Cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@ad.yieldmanager[2].txt" system-message="There are no more files." malwareName="yieldmanager cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@adbrite[1].txt" system-message="There are no more files." malwareName="adbrite cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@adopt.specificclick[1].txt" system-message="There are no more files." malwareName="specificclick cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@adrevolver[1].txt" system-message="There are no more files." malwareName="adrevolver cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@ads.addynamix[2].txt" system-message="There are no more files." malwareName="addynamix cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@ads.pointroll[2].txt" system-message="There are no more files." malwareName="pointroll cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@advertising[2].txt" system-message="There are no more files." malwareName="advertising cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@atdmt[2].txt" system-message="There are no more files." malwareName="atdmt cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@atwola[1].txt" system-message="There are no more files." malwareName="atwola cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@doubleclick[2].txt" system-message="There are no more files." malwareName="doubleclick cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@edge.ru4[1].txt" system-message="There are no more files." malwareName="edge.ru4 cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@enhance[1].txt" system-message="There are no more files." malwareName="enhance cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@fastclick[1].txt" system-message="There are no more files." malwareName="fastclick cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@fortunecity[1].txt" system-message="There are no more files." malwareName="fortunecity cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@freepay[1].txt" system-message="There are no more files." malwareName="freepay cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@h.starware[1].txt" system-message="There are no more files." malwareName="starware cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@heavycom.122.2o7[1].txt" system-message="There are no more files." malwareName="2o7.net Cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@media.adrevolver[2].txt" system-message="There are no more files." malwareName="adrevolver cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@mediaplex[1].txt" system-message="There are no more files." malwareName="mediaplex cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@mygeek[1].txt" system-message="There are no more files." malwareName="mygeek cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@netster[2].txt" system-message="There are no more files." malwareName="netster cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@overture[1].txt" system-message="There are no more files." malwareName="overture cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@perf.overture[1].txt" system-message="There are no more files." malwareName="overture cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@questionmarket[2].txt" system-message="There are no more files." malwareName="questionmarket cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@realmedia[1].txt" system-message="There are no more files." malwareName="realmedia cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@reduxads.valuead[2].txt" system-message="There are no more files." malwareName="valuead cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@revsci[1].txt" system-message="There are no more files." malwareName="revsci cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@riptownmedia.122.2o7[1].txt" system-message="There are no more files." malwareName="2o7.net Cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@specificclick[2].txt" system-message="There are no more files." malwareName="specificclick cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@statcounter[1].txt" system-message="There are no more files." malwareName="statcounter cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@tribalfusion[1].txt" system-message="There are no more files." malwareName="tribalfusion cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@try.starware[2].txt" system-message="There are no more files." malwareName="starware cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@twci.coremetrics[1].txt" system-message="There are no more files." malwareName="coremetrics cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@www.netster[1].txt" system-message="There are no more files." malwareName="netster cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@www.ppctracking[1].txt" system-message="There are no more files." malwareName="ppctracking cookie" />
<DebugMsg event="FILE_FOUND" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@zedo[1].txt" system-message="There are no more files." malwareName="zedo cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="2o7.net Cookie" system-message="The operation completed successfully." malwareName="2o7.net Cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="yieldmanager cookie" system-message="The operation completed successfully." malwareName="yieldmanager cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="adbrite cookie" system-message="The operation completed successfully." malwareName="adbrite cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="specificclick cookie" system-message="The operation completed successfully." malwareName="specificclick cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="adrevolver cookie" system-message="The operation completed successfully." malwareName="adrevolver cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="addynamix cookie" system-message="The operation completed successfully." malwareName="addynamix cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="pointroll cookie" system-message="The operation completed successfully." malwareName="pointroll cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="advertising cookie" system-message="The operation completed successfully." malwareName="advertising cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="atdmt cookie" system-message="The operation completed successfully." malwareName="atdmt cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="atwola cookie" system-message="The operation completed successfully." malwareName="atwola cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="doubleclick cookie" system-message="The operation completed successfully." malwareName="doubleclick cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="edge.ru4 cookie" system-message="The operation completed successfully." malwareName="edge.ru4 cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="enhance cookie" system-message="The operation completed successfully." malwareName="enhance cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="fastclick cookie" system-message="The operation completed successfully." malwareName="fastclick cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="fortunecity cookie" system-message="The operation completed successfully." malwareName="fortunecity cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="freepay cookie" system-message="The operation completed successfully." malwareName="freepay cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="starware cookie" system-message="The operation completed successfully." malwareName="starware cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="2o7.net Cookie" system-message="The operation completed successfully." malwareName="2o7.net Cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="adrevolver cookie" system-message="The operation completed successfully." malwareName="adrevolver cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="mediaplex cookie" system-message="The operation completed successfully." malwareName="mediaplex cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="mygeek cookie" system-message="The operation completed successfully." malwareName="mygeek cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="netster cookie" system-message="The operation completed successfully." malwareName="netster cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="overture cookie" system-message="The operation completed successfully." malwareName="overture cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="overture cookie" system-message="The operation completed successfully." malwareName="overture cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="questionmarket cookie" system-message="The operation completed successfully." malwareName="questionmarket cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="realmedia cookie" system-message="The operation completed successfully." malwareName="realmedia cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="valuead cookie" system-message="The operation completed successfully." malwareName="valuead cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="revsci cookie" system-message="The operation completed successfully." malwareName="revsci cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="2o7.net Cookie" system-message="The operation completed successfully." malwareName="2o7.net Cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="specificclick cookie" system-message="The operation completed successfully." malwareName="specificclick cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="statcounter cookie" system-message="The operation completed successfully." malwareName="statcounter cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="tribalfusion cookie" system-message="The operation completed successfully." malwareName="tribalfusion cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="starware cookie" system-message="The operation completed successfully." malwareName="starware cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="coremetrics cookie" system-message="The operation completed successfully." malwareName="coremetrics cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="netster cookie" system-message="The operation completed successfully." malwareName="netster cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="ppctracking cookie" system-message="The operation completed successfully." malwareName="ppctracking cookie" />
<DebugMsg event="FILE_QUARANTINE_SUCCESS" data="zedo cookie" system-message="The operation completed successfully." malwareName="zedo cookie" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@zedo[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@www.ppctracking[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@www.netster[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@twci.coremetrics[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@try.starware[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@tribalfusion[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@statcounter[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@specificclick[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@riptownmedia.122.2o7[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@revsci[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@reduxads.valuead[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@realmedia[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@questionmarket[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@perf.overture[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@overture[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@netster[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@mygeek[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@mediaplex[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@media.adrevolver[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@heavycom.122.2o7[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@h.starware[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@freepay[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@fortunecity[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@fastclick[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@enhance[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@edge.ru4[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@doubleclick[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@atwola[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@atdmt[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@advertising[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@ads.pointroll[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@ads.addynamix[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@adrevolver[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@adopt.specificclick[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@adbrite[1].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@ad.yieldmanager[2].txt" system-message="The operation completed successfully." malwareName="" />
<DebugMsg event="FILE_DELETE_SUCCESS" data="c:\Documents and Settings\davisfoos\Cookies\davisfoos@2o7[1].txt" system-message="The operation completed successfully." malwareName="" />
</Debug>
</XoftSpy>


thanks in advance

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 24 May 2007 - 09:37 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum davisfoos :thumbsup:

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Active Virus Shield
There's a nice setup tutorial Here:
http://www.activevirusshield.com/antivirus/freeav/

******************

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

******************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 davisfoos

davisfoos
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 24 May 2007 - 12:07 PM

Ok, anti-virus installed and updated, removed about 22 files.


Here is the SDFix log...

SDFix: Version 1.84

Run by Administrator - Thu 05/24/2007 - 11:43:48.76

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix

Safe Mode:
Checking Services:

Name:
COM+ Messages
core

ImagePath:
"C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213
system32\drivers\core.sys

COM+ Messages - Deleted
core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\TRapps\\Dr2000\\live.mlc"="C:\\TRapps\\Dr2000\\live.mlc:*:Enabled:TOTAL RENTAL Internet Update"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:


Finished




Here is the combofix log.....

"davisfoos" - 2007-05-24 11:53:23 Service Pack 2
ComboFix 07-05.24.7.V - Running from: "C:\Documents and Settings\davisfoos\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\Common Files\{34EA3~1"
"C:\Program Files\Common Files\{B4EA3~3"
"C:\Program Files\Common Files\{B4EA3~1"
"C:\Program Files\Common Files\{B4EA3~2"

Purity Folders:

C:\WINDOWS\system32\ICROSO~1
C:\Program Files\STEM~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\CMDSERVICE


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 ))))))))))))))))))))))))))))))))))


2007-05-24 11:40 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-24 10:48 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-05-24 10:48 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-05-24 10:48 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-05-24 10:48 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-05-24 10:48 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-05-24 10:48 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-05-24 10:48 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-05-24 10:48 <DIR> d-------- C:\Program Files\Alwil Software
2007-05-24 00:54 <DIR> d-------- C:\Program Files\GPLGS
2007-05-24 00:53 87,808 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-05-24 00:53 <DIR> d-------- C:\Program Files\Acro Software
2007-05-23 14:29 81,920 --a------ C:\WINDOWS\system32\GkSui20.EXE
2007-05-23 14:26 <DIR> d-------- C:\Program Files\wms2002
2007-05-23 14:23 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-05-23 14:23 143,360 --------- C:\WINDOWS\Setup1.exe
2007-05-23 14:09 <DIR> d-------- C:\tariff
2007-05-22 12:06 <DIR> d-------- C:\Poker
2007-05-22 11:29 <DIR> d-------- C:\Program Files\Sportsbook Poker
2007-05-22 09:44 <DIR> d-------- C:\Program Files\Alamo Poker.com
2007-05-22 08:00 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-21 14:43 1,954 --a------ C:\WINDOWS\mozver.dat
2007-05-21 14:43 <DIR> d-------- C:\Program Files\eBLVD
2007-05-19 10:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-19 10:33 <DIR> d-------- C:\DOCUME~1\DAVISF~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-19 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-19 09:54 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-19 09:36 <DIR> d-------- C:\Program Files\AIM6
2007-05-19 09:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-05-19 07:49 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-19 07:49 <DIR> d-------- C:\DOCUME~1\DAVISF~1\APPLIC~1\Lavasoft
2007-05-19 07:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 13:13 <DIR> d-------- C:\vuescan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-19 14:36:08 335 ----a-w C:\WINDOWS\nsreg.dat
2007-05-19 14:04:32 -------- d-----w C:\Program Files\Yahoo!
2007-05-19 13:18:39 -------- d-----w C:\Program Files\Common Files\ukii
2007-05-16 18:32:33 -------- d-----w C:\Program Files\Bodog Poker
2007-05-02 21:05:32 -------- d-----w C:\Program Files\mIRC
2007-04-24 14:31:24 -------- d-----w C:\DOCUME~1\DAVISF~1\APPLIC~1\SolidDocuments
2007-04-23 20:00:12 -------- d-----w C:\Program Files\SolidDocuments
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-05 18:32:01 -------- d-----w C:\Program Files\UHaul
2007-04-04 20:34:57 -------- d-----w C:\Program Files\NTRsupport Installable RC
2007-03-31 20:39:54 -------- d-----w C:\Program Files\Yahoo SiteBuilder
2007-03-30 08:09:22 -------- d-----w C:\Program Files\Microsoft SQL Server
2007-03-30 08:03:01 -------- d-----w C:\Program Files\MSXML 6.0
2007-03-27 21:45:01 -------- d-----w C:\Program Files\Citrix
2007-03-27 17:34:46 -------- d-----w C:\Program Files\WebLog Expert
2007-03-25 03:26:19 -------- d-----w C:\DOCUME~1\DAVISF~1\APPLIC~1\ntr
2007-03-24 18:11:49 -------- d-----w C:\DOCUME~1\DAVISF~1\APPLIC~1\Intuit
2007-03-24 18:11:24 -------- d-----w C:\Program Files\Intuit
2007-03-24 18:11:11 -------- d-----w C:\Program Files\Common Files\supportsoft
2007-03-24 18:06:15 -------- d-----w C:\Program Files\Common Files\Intuit
2007-03-24 18:04:38 -------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2007-03-24 18:02:11 -------- d-----w C:\Program Files\MSXML 4.0
2007-03-23 18:04:25 -------- d-----w C:\Program Files\Common Files\Business Objects
2007-03-23 17:47:16 -------- d-----w C:\Program Files\Microsoft.NET
2007-03-23 17:41:05 -------- d-----w C:\Program Files\Microsoft Works
2007-03-23 17:40:40 -------- d-----w C:\Program Files\MSBuild
2007-03-23 17:33:51 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-03-23 16:44:23 -------- d-----w C:\Program Files\Messenger
2007-03-23 15:41:32 -------- d-----w C:\Program Files\Movie Maker
2007-03-23 15:38:20 -------- d-----w C:\Program Files\Windows NT
2007-03-21 19:39:49 -------- d-----w C:\DOCUME~1\DAVISF~1\APPLIC~1\Snapfish
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-10 10:29:52 67,952 ----a-w C:\WINDOWS\system32\sqlctr90.dll
2007-02-10 10:29:52 2,234,224 ----a-w C:\WINDOWS\system32\sqlncli.dll
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 11:28]
{259F616C-A300-44F5-B04A-ED001A26C85C}=C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll [2006-11-02 15:09]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 18:45]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 17:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-01 09:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk
backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
"C:\PROGRA~1\STEM~1\chkdsk.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apqmu]
"C:\WINDOWS\system32\?icrosoft\j?vaw.exe" 99001275

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMyPC]
C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\Ipwindows\ipwins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ukii]
C:\PROGRA~1\COMMON~1\ukii\ukiim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B4EA3007-069E-1033-1207-011022010001}]
"C:\Program Files\Common Files\{B4EA3007-069E-1033-1207-011022010001}\Update.exe" te-110-12-0000213

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B4EA3007-069F-1033-1207-011022010001}]
"C:\Program Files\Common Files\{B4EA3007-069F-1033-1207-011022010001}\Update.exe" te-110-12-0000213


Contents of the 'Scheduled Tasks' folder
2007-05-24 04:57:27 C:\WINDOWS\tasks\END OF DAY.job
2007-05-24 03:44:46 C:\WINDOWS\tasks\realbackup.job
2007-05-24 16:58:34 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-05-22 13:01:00 C:\WINDOWS\tasks\XoftSpySE.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-24 11:57:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-24 11:59:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-24 11:59

--- E O F ---


Here is the new hijackthis log....

Logfile of HijackThis v1.99.1
Scan saved at 12:03:02 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: UHaulMessenger.lnk = C:\Program Files\UHaul\UHaulMessenger\AppStart.exe
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra 'Tools' menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - C:\Poker\CDPoker\casino.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174610496530
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://na.ntrsupport.com/inquiero/mod/setu...tivex118_24.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)





So far no popups.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 24 May 2007 - 12:25 PM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R3 - URLSearchHook: (no name) - - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 davisfoos

davisfoos
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 24 May 2007 - 02:13 PM

back again.


here is the AVG Anti-Spyware - Scan Report

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:02:59 PM 5/24/2007

+ Scan result:



C:\SDFix\backups\backups.zip/backups/core.sys -> Rootkit.Agent.eq : Cleaned.
C:\System Volume Information\_restore{DD87123B-1A1B-4A65-829C-13728083D6BF}\RP231\A0036047.sys -> Rootkit.Agent.eq : Cleaned.
C:\System Volume Information\_restore{DD87123B-1A1B-4A65-829C-13728083D6BF}\RP231\A0036056.sys -> Rootkit.Agent.eq : Cleaned.
:mozilla.329:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.587:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.668:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.676:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.784:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.845:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.856:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.922:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@riptownmedia.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.164:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.165:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.166:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.167:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.168:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.169:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.170:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.171:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.172:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.173:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.174:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.175:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.176:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.177:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.178:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.179:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.180:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.181:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@gatorarcade.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@getmusicfree.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.152:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.599:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.602:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.603:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.709:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.710:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.274:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.119:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.120:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.121:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.122:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.123:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.124:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.125:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.70:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.499:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.308:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.268:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.269:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@connextra[3].txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.280:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.548:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.628:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.88:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.89:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.90:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.91:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.642:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.33:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.933:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.947:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.948:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.966:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.975:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@e-2dj6wjk4aiajodo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.160:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.161:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.162:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.163:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.937:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.938:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.304:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.203:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.204:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.205:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.214:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.218:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.219:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.263:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.795:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.796:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.85:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.86:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.87:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.940:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.944:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.959:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.965:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.968:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.797:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.118:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Linkbuddies : Cleaned.
:mozilla.748:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Live : Cleaned.
:mozilla.749:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Live : Cleaned.
:mozilla.750:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Live : Cleaned.
:mozilla.265:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.266:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.267:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.609:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.140:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.143:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.805:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.806:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.807:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.808:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.809:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.810:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.305:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.306:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.307:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.822:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.10:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.191:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.192:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.109:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.110:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.111:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.112:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.113:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.114:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.115:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.116:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.117:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.661:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.662:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.714:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.715:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.716:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.717:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.718:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.719:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.720:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.721:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.722:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.963:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.964:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.593:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.595:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.598:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.605:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.607:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.654:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.126:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.127:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.128:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.129:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.130:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.131:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.132:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.133:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.134:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.135:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.491:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.610:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.245:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.246:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.247:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.248:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.249:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.250:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.251:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.252:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.253:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.254:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.255:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.256:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.257:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.258:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.259:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.260:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.157:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.158:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.159:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.507:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.508:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.68:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.69:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.519:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.740:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.923:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\rental\Cookies\rental@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.221:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.222:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.683:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.100:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.101:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.102:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.103:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.104:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.107:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.108:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.96:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.99:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.270:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.271:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.272:C:\Documents and Settings\davisfoos\Application Data\Mozilla\Firefox\Profiles\1793wcy7.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\davisfoos\Cookies\davisfoos@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{DD87123B-1A1B-4A65-829C-13728083D6BF}\RP231\A0036145.dll -> Trojan.Rond : Cleaned.


::Report end




here is the new hijackthis....


Logfile of HijackThis v1.99.1
Scan saved at 2:09:49 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\UHaul\UHaulMessenger\AppStart.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\UHaul\UHaulMessenger\1.0.1.22\UHaulMessenger.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: UHaulMessenger.lnk = C:\Program Files\UHaul\UHaulMessenger\AppStart.exe
O4 - Global Startup: F1U201.401.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174610496530
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.8) - http://na.ntrsupport.com/inquiero/mod/setu...tivex118_24.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: GoToMyPC - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


The computer seems to be running fine. No popups at all.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 24 May 2007 - 02:59 PM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)

Exit Hijackthis.

**********************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
SDFix.exe
Combofix

C:\SDFix
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Posted Image
Posted Image

#7 davisfoos

davisfoos
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 25 May 2007 - 01:20 PM

everything looks good. I have another computer on the same network. Its not having any popup problems right now. but i'm tempted to do a scan. Will you be able to walk me through another computer? thanks for your help.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 25 May 2007 - 02:15 PM

I have another computer on the same network. Its not having any popup problems right now. but i'm tempted to do a scan. Will you be able to walk me through another computer? thanks for your help.

Ok then,post a Hijackthis log for that second machine then :thumbsup:
Posted Image
Posted Image

#9 davisfoos

davisfoos
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 25 May 2007 - 02:41 PM

I have another computer on the same network. Its not having any popup problems right now. but i'm tempted to do a scan. Will you be able to walk me through another computer? thanks for your help.

Ok then,post a Hijackthis log for that second machine then :thumbsup:



Ok. I will start a new thread.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 25 May 2007 - 03:00 PM

Since your problem appears to be resolved,this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users