Tech Support Forum banner
Status
Not open for further replies.

SpywareRemover Getting Annoying

6K views 42 replies 4 participants last post by  vystein 
#1 ·
i've been having problems with SpywareRemover trying to install itself on my computer, and I was told that post a HJT log might help, so here goes.
i ran Spybot, Ad-aware and several virus programs(mostly ones mentioned on this site) before doing this scan, if it helps.





Logfile of HijackThis v1.99.1
Scan saved at 5:08:40 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sandboxer.com/redirect.aspx?ID=10&MID=5JSAG5S2SGESDE4ZQF9#X39JXXNW4A7HBFG5KPNZQ8
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - ReadMe-BHODemon - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [6d93a76c0ae0] C:\WINDOWS\System32\ASFRendr.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristontale.com/autorun/pristontale.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
See less See more
#2 ·
Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO SAFE MODE
  1. Restart the computer. The computer begins processing a set of instructions known as BIOS.
  2. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
  3. Continue to do so until the 'Windows Advanced Options' menu appears.
  4. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files
  1. From Windows Explorer, go to Tools>Folder Options>View tab.
  2. Enable the option for `Show hidden files and folder´
  3. Disable the option for `Hide file extensions for known types´
  4. Disable the option for `Hide protected operating system files´
  5. Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose [Yes] at the Warning prompt.
  • Expand the [Tools] menu.
  • Click [Resident].
  • Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
  • In the File menu click [Exit] to exit Spybot Search & Destroy.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - ReadMe-BHODemon - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [6d93a76c0ae0] C:\WINDOWS\System32\ASFRendr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Acti...iveLauncher.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Locate and delete the following file(s), if present:
  • C:\WINDOWS\System32\ASFRendr.exe
    C:\WINDOWS\System32\resg.dll
]

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE

Do an online scan at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:
  1. HiJackThis
  2. Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 
#3 ·
First, when i ran CWShredder, it didn't find anything.

When i ran the HJT in safe mode "O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll" was not found. And neither was "
C:\WINDOWS\System32\resg.dll" which you aske dme to delete.

Those were all the problems i had. My computer seems to be running a little faster now, but that's the only change I've seen(or tested).

The Online Scan Log is attached, and here's the new HJT log



Logfile of HijackThis v1.99.1
Scan saved at 10:41:22 AM, on 7/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\110859~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110859~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sandboxer.com/redirect.aspx?ID=10&MID=5JSAG5S2SGESDE4ZQF9#X39JXXNW4A7HBFG5KPNZQ8
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristontale.com/autorun/pristontale.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

Attachments

#4 ·
Do you have any further issues to report?

if not..

Your log is clean. Well done

Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Clear Java Cache
  1. Click Start >Settings>Control Panel
  2. Click the Java Plugin Icon
  3. Click the Cache tab
  4. Click the Clear button and click OK to confirm
Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun Java's cache.


Create a new System Restore point
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK

Enable Windows Auto Update
  • Go to Start>Run - type wuaucpl.cpl
  • tick on the checkbox - "Keep my computer up to date"
  • Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
  • Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.
 
#5 · (Edited)
Actually, there is one more problem. In the Add/Remove programs list the is an entry labeled SpywareRemover with no option to remove. So I opened up HJT and it's uninstall manager, but it wasn't listed there.


EDIT: I just installed SpywareBlaster, and when I ran it, SpywareRemover tried to install itself. I closed it, and ran it a second time and got the same results. I think it attached itself to SpywareBlaster.
 
#6 ·
Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
 
#7 · (Edited by Moderator)
Sorry about thtime it took me to respond(i didn't have access to the computer over the weekend). You never specified whether or not I should be connected to the internet at the time of running that program, so I assumed that i should. Here's the logfile(while connected(if you need the other I have it as well)).


StartDreck (build 2.1.7 public stable) - 2005-08-01 @ 09:32:12 (GMT -06:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Ricky Powell at D38QJP41

»Registry
»Run Keys
»Current User
»Run
*AOLCC="C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
*AOL Fast Start="C:\Program Files\America Online 9.0b\AOL.EXE" -b
»RunOnce
»Default User
»Run
*SSS6_Suite="C:\Program Files\Steganos Security Suite 6\sss.exe" /booting
*SSS6_SAFE="C:\Program Files\Steganos Security Suite 6\safe.exe" /booting
*SSS6_SPM="C:\Program Files\Steganos Security Suite 6\spm.exe" /booting
»RunOnce
»Local Machine
»Run
*IgfxTray=C:\WINDOWS\System32\igfxtray.exe
*IntelMeM=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
*dla=C:\WINDOWS\system32\dla\tfswctrl.exe
*StorageGuard="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
*Dell AIO Printer A920="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AOL Spyware Protection="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
*DXM6Patch_981116=C:\WINDOWS\p_981116.exe /Q:A
*Pure Networks Port Magic="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
*MCAgentExe=c:\PROGRA~1\mcafee.com\agent\mcagent.exe
*MCUpdateExe=C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
*VirusScan Online="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
*VSOCheckTask="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*ElbyCheckElbyCDFL="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
*DAEMON Tools-1033="C:\Program Files\D-Tools\daemon.exe" -lang 1033
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
batfile="%1" %
+.com
comfile="%1" %
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
exefile="%1" %
+.hta
htafile=C:\WINDOWS\System32\mshta.exe "%1" %
+.htm
*aolfile_HTM=C:\PROGRA~1\AMERIC~1.0A\aol.exe "%1"
+.html
*aolfile_HTM=C:\PROGRA~1\AMERIC~1.0A\aol.exe "%1"
+.js
JSFile=%SystemRoot%\System32\WScript.exe "%1" %
+.jse
JSEFile=%SystemRoot%\System32\WScript.exe "%1" %
+.pif
piffile="%1" %
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=notepad.exe %1
+.vbs
VBSFile=%SystemRoot%\System32\WScript.exe "%1" %
+.vbe
VBEFile=%SystemRoot%\System32\WScript.exe "%1" %
+.wsh
WSHFile=%SystemRoot%\System32\WScript.exe "%1" %
+.wsf
WSFFile=%SystemRoot%\System32\WScript.exe "%1" %
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
*Shareaza.RazaWebHook.1/{0EEDB912-C5FA-486F-8334-57288578C627}
`InprocServer32=C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*DriveLetterAccess/{5CA3D70E-1895-11CF-8E15-001234567890}
`InprocServer32=C:\WINDOWS\system32\dla\tfswshx.dll
*{A5366673-E8CA-11D3-9CD9-0090271D075B}
`InprocServer32=
*MDHelper.IECatcher.1/{B930BA63-9E5A-11D3-A288-0000E80E2EDE}
`InprocServer32=C:\Program Files\Mass Downloader\MDHELPER.DLL
»Internet Explorer
»Current User
*Default_Page_URL=Computers, Monitors & Technology Solutions | Dell USA
*Local Page=C:\WINDOWS\System32\blank.htm
*Start Page=www.gmail.com
+SearchUrl
*provider=
*SearchUrl=4Count.com is for sale | HugeDomains
»Default User
*Default_Page_URL=Computers, Monitors & Technology Solutions | Dell USA
*First Home Page=Computers, Monitors & Technology Solutions | Dell USA
*Search Bar=4Count.com is for sale | HugeDomains
*Search Page=4Count.com is for sale | HugeDomains
*Start Page=Computers, Monitors & Technology Solutions | Dell USA
*SearchAssistant=4Count.com is for sale | HugeDomains
+SearchUrl
*SearchUrl=4Count.com is for sale | HugeDomains
»Local Machine
*Default_Page_URL=Computers, Monitors & Technology Solutions | Dell USA
*Local Page=%SystemRoot%\system32\blank.htm
*Start Page=
*CustomizeSearch=Flightless fancy{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=Flightless fancy{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
*SearchUrl=4Count.com is for sale | HugeDomains
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=C:\WINDOWS\System32\resg.dll
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Ricky Powell.D38QJP41\Start Menu\Programs\Startup\DESKTOP.INI
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 babe.the-killer.bz
`127.0.0.1 babe.k-lined.com
`127.0.0.1 did.i-used.cc
`127.0.0.1 coolwwwsearch.com
`127.0.0.1 coolwebsearch.com
`127.0.0.1 hi.studioaperto.net
`127.0.0.1 www.webbrowser.tv
`127.0.0.1 www.wazzupnet.com
`127.0.0.1 gueb.com
`127.0.0.1 kabex.com
`127.0.0.1 www.hityou.com
`127.0.0.1 miosearch.com
`127.0.0.1 wazzupnet.com
`127.0.0.1 213.131.225.2
`127.0.0.1 www.blue-elefant.com
`127.0.0.1 babeweb.de
`127.0.0.1 start-seite.com
`127.0.0.1 sexolymp.com
`127.0.0.1 toriii.cc
`127.0.0.1 www.xtipp.de
`127.0.0.1 urawa.cool.ne.jp
`127.0.0.1 777search.com
`127.0.0.1 ace-webmaster.com
`127.0.0.1 aifind.info
`127.0.0.1 amateurliveshow.com
`127.0.0.1 anarchylolita.com
`127.0.0.1 anarchyporn.com
`127.0.0.1 approvedlinks.com
`127.0.0.1 cantfind.com
`127.0.0.1 castingsamateur.com
`127.0.0.1 cyberrape.com
`127.0.0.1 dialerclub.com
`127.0.0.1 exit.megago.com
`127.0.0.1 fastmetasearch.com
`127.0.0.1 findwhatevernow.com
`127.0.0.1 globesearch.com
`127.0.0.1 hotfreebies.com
`127.0.0.1 krankin.com
`127.0.0.1 live.sex-explorer.com
`127.0.0.1 loveadot.com
`127.0.0.1 megaseek.net
`127.0.0.1 mixsearch.com
`127.0.0.1 munky.com
`127.0.0.1 newtopsites.com
`127.0.0.1 noblindlinks.com
`127.0.0.1 r.babenet.com
`127.0.0.1 searchresult.net
`127.0.0.1 sexarena.org
`127.0.0.1 skeech.com
`127.0.0.1 superwp.by.ru
`127.0.0.1 sureseeker.com
`127.0.0.1 wethere.com
`127.0.0.1 wowsearch.org
`127.0.0.1 xxx.com
`127.0.0.1 www.websearch.com
`127.0.0.1 partner23.firehunt.com
`127.0.0.1 screensaver.it
`127.0.0.1 xads.cliks.org
`127.0.0.1 xwebsearch.biz
`127.0.0.1 znext.com
`127.0.0.1 rawtocash.net
`127.0.0.1 7search.com
`127.0.0.1 zestyfind.com
`127.0.0.1 dev.ntcor.com
`127.0.0.1 search.xrenoder.com
`127.0.0.1 193.125.201.50
`127.0.0.1 www.allcybersearch.com
`127.0.0.1 www.tinybar.com
`127.0.0.1 topsite.us
`127.0.0.1 topsites.us
`127.0.0.1 topsitez.us
`127.0.0.1 out.true-counter.com
`127.0.0.1 www.cnetadd.com
`127.0.0.1 okmmm.com
`127.0.0.1 www.139mm.com
`127.0.0.1 008k.com
`127.0.0.1 00hq.com
`127.0.0.1 1-domains-registrations.com
`127.0.0.1 100sexlinks.com
`127.0.0.1 157.238.62.14
`127.0.0.1 1sexparty.com
`127.0.0.1 1stpagehere.com
`127.0.0.1 2020search.com
`127.0.0.1 209.66.114.130
`127.0.0.1 24teen.com
`127.0.0.1 36site.com
`127.0.0.1 4corn.net
`127.0.0.1 66.117.14.138
`127.0.0.1 66.197.100.83
`127.0.0.1 66.250.107.99
`127.0.0.1 66.250.107.100
`127.0.0.1 66.250.107.101
`127.0.0.1 66.250.130.194
`127.0.0.1 66.250.170.107
`127.0.0.1 66.250.57.26
`127.0.0.1 66.250.57.27
`127.0.0.1 66.250.57.28
`127.0.0.1 66.250.74.150
`127.0.0.1 777top.com
`127.0.0.1 8ad.com
`127.0.0.1 aboutclicker.com
`127.0.0.1 abrp.net
`127.0.0.1 accessthefuture.net
`127.0.0.1 acemedic.com
`127.0.0.1 actionbreastcancer.org
`127.0.0.1 activexupdate.com
`127.0.0.1 adamsupportgroup.org
`127.0.0.1 adasearch.com
`127.0.0.1 adipics.com
`127.0.0.1 adspics.com
`127.0.0.1 adult-engine-search.com
`127.0.0.1 adult-erotic-guide.net
`127.0.0.1 adult-friends-finder.net
`127.0.0.1 adulthyperlinks.com
`127.0.0.1 adulttds.com
`127.0.0.1 advert.exaccess.ru
`127.0.0.1 agentstudio.com
`127.0.0.1 africaspromise.org
`127.0.0.1 akril.com
`127.0.0.1 alcatel.ws
`127.0.0.1 alfa-search.com
`127.0.0.1 all-inet.com
`127.0.0.1 allabtcars.com
`127.0.0.1 allabtjeeps.com
`127.0.0.1 allcybersearch.com
`127.0.0.1 allhyperlinks.com
`127.0.0.1 allinternetbusiness.com
`127.0.0.1 almarvideos.com
`127.0.0.1 amandamountains.com
`127.0.0.1 amigeek.com
`127.0.0.1 amisbusiness.com
`127.0.0.1 analmovi.com
`127.0.0.1 anin.org
`127.0.0.1 annaromeo.com
`127.0.0.1 antrocity.com
`127.0.0.1 anything4health.com
`127.0.0.1 apsua.com
`127.0.0.1 aregay.com
`127.0.0.1 arheo.com
`127.0.0.1 arizonaweb.org
`127.0.0.1 armitageinn.com
`127.0.0.1 art-func.com
`127.0.0.1 art-xxx.com
`127.0.0.1 artachnid.com
`127.0.0.1 asiankingkong.com
`127.0.0.1 ***-gals.com
`127.0.0.1 athenrye.com
`127.0.0.1 avian-ads.com
`127.0.0.1 ayakawamura.com
`127.0.0.1 ayumitaniguchi.com
`127.0.0.1 bannedhost.net
`127.0.0.1 barbudafarms.com
`127.0.0.1 barnandfence.com
`127.0.0.1 batsearch.com
`127.0.0.1 baygraphicsllc.com
`127.0.0.1 bb-search.com
`127.0.0.1 bbbsearch.com
`127.0.0.1 bedhome.com
`127.0.0.1 bediadance.com
`127.0.0.1 bellabasketsfl.com
`127.0.0.1 bernaolatwin.com
`127.0.0.1 best-counter.com
`127.0.0.1 best-hardpics.com
`127.0.0.1 best-winning-casino.com
`127.0.0.1 bestcrawler.com
`127.0.0.1 bestfor.ru
`127.0.0.1 bestporngate.com
`127.0.0.1 bestxporno.com
`127.0.0.1 blackjack-free.net
`127.0.0.1 blender.xu.pl
`127.0.0.1 bodaciousbabette.com
`127.0.0.1 boobdoll.com
`127.0.0.1 boobsandtits.com
`127.0.0.1 boobsclub.com
`127.0.0.1 boredlife.com
`127.0.0.1 bowlofogumbo.com
`127.0.0.1 bradcoem.org
`127.0.0.1 brandiyoung.com
`127.0.0.1 brookeburn.com
`127.0.0.1 bucps.com
`127.0.0.1 burgerkingbigscreen.com
`127.0.0.1 buscards.net
`127.0.0.1 bustyrussell.com
`127.0.0.1 buttejazz.org
`127.0.0.1 buyselldomain.net
`127.0.0.1 calcioturris.com
`127.0.0.1 canberracricketcoaching.com
`127.0.0.1 candycantaloupes.com
`127.0.0.1 careers.dulcineasystems.net
`127.0.0.1 carsands.com
`127.0.0.1 carsrentals.net
`127.0.0.1 casino-gambling-1.net
`127.0.0.1 casino-gambling-2.net
`127.0.0.1 casino-onlines.net
`127.0.0.1 casino.com.free.game.pogo.gratisdownloads.nl
`127.0.0.1 casino2win.net
`127.0.0.1 casinomidas.net
`127.0.0.1 casinonline.net
`127.0.0.1 catallogue.com
`127.0.0.1 catsss.da.ru
`127.0.0.1 caxa.ru
`127.0.0.1 cclebali.org
`127.0.0.1 ceewawires.org
`127.0.0.1 certumgroup.com
`127.0.0.1 chelancatering.com
`127.0.0.1 childrenvilla.com
`127.0.0.1 chips-4-free.com
`127.0.0.1 chrisswasey.com
`127.0.0.1 chriswallace.net
`127.0.0.1 ckick4thumbs.com
`127.0.0.1 clackamasliteraryreview.com
`127.0.0.1 clearsearch.cc
`127.0.0.1 clearsearch.net
`127.0.0.1 clickaire.com
`127.0.0.1 clickyestoenter.net
`127.0.0.1 clrsch.com
`127.0.0.1 cmtapestry.com
`127.0.0.1 cool-homepage.co
`127.0.0.1 cool-homepage.com
`127.0.0.1 cool-search.net
`127.0.0.1 cool-search.netfartpost.com
`127.0.0.1 cool-web-search.com
`127.0.0.1 coolfetishsite.com
`127.0.0.1 coolfreehost.com
`127.0.0.1 coolfreepage.com
`127.0.0.1 coolfreepages.com
`127.0.0.1 coolmoneysearch.com
`127.0.0.1 coolpornsearch.com
`127.0.0.1 coolsearcher.info
`127.0.0.1 coolwebsearch.
`127.0.0.1 coolwebsearsh.com
`127.0.0.1 coolwwwsearch.
`127.0.0.1 copmtraine.com
`127.0.0.1 couldnotfind.com
`127.0.0.1 count-all.com
`127.0.0.1 cracks.me.uk
`127.0.0.1 creamedcutties.com
`127.0.0.1 creditsearchonline.com
`127.0.0.1 crestring.com
`127.0.0.1 crooder.com
`127.0.0.1 curvedspaces.com
`127.0.0.1 cvs.jps.ru
`127.0.0.1 cvsymphony.com
`127.0.0.1 cydom.com
`127.0.0.1 daily-gals.com
`127.0.0.1 dancingbabycd.com
`127.0.0.1 datanotary.com
`127.0.0.1 datareco.com
`127.0.0.1 davemarshall.org
`127.0.0.1 dcfitusa.com
`127.0.0.1 defaultsearch.net
`127.0.0.1 desarrollocreativo.com
`127.0.0.1 develip.com
`127.0.0.1 dewis.spb.ru
`127.0.0.1 dewis.us
`127.0.0.1 df809jow4wj2304lfd0sf9fsd0a2t4ldf809jow4wj2304lfd0sf9fsd0a2t4ld.biz
`127.0.0.1 dietpills4free.com
`127.0.0.1 dietpussy.com
`127.0.0.1 digistreamsa.com
`127.0.0.1 dionforvalleycouncil.org
`127.0.0.1 doctorwaldron.com
`127.0.0.1 document-not-found.pornpic.org
`127.0.0.1 doggyaction.com
`127.0.0.1 domain-your-registration.com
`127.0.0.1 domains-for-you-online.com
`127.0.0.1 domains2003.net
`127.0.0.1 domkrat.com
`127.0.0.1 dp-host.com
`127.0.0.1 dragqueen.gay-clan.com
`127.0.0.1 drug-sources-exposed.com
`127.0.0.1 drvvv.com
`127.0.0.1 dutch-sex.com
`127.0.0.1 dvdbank.org
`127.0.0.1 e-localad.com
`127.0.0.1 e-plus.cc
`127.0.0.1 e-websitesolutions.com
`127.0.0.1 eases.net
`127.0.0.1 easy-search.net
`127.0.0.1 easycategories.com
`127.0.0.1 ecosrioplatenses.org
`127.0.0.1 ecstasyporn.net
`127.0.0.1 eikokoike.com
`127.0.0.1 epornsex.com
`127.0.0.1 euuu.com
`127.0.0.1 evidence-detector.biz
`127.0.0.1 evilspidercomics.com
`127.0.0.1 ewebsearch.net
`127.0.0.1 findloss.com
`127.0.0.1 excellentsckin.com
`127.0.0.1 extremeseek.net
`127.0.0.1 f*ckdenniss.com
`127.0.0.1 f*cknicepics.com
`127.0.0.1 faithstevens.com
`127.0.0.1 fantasiewelten.com
`127.0.0.1 farmsteadbandb.com
`127.0.0.1 fartpost.com
`127.0.0.1 fastwebfinder.com
`127.0.0.1 faxporn.com
`127.0.0.1 fickenisgeil.de
`127.0.0.1 finance-loans.com
`127.0.0.1 find-itnow.com
`127.0.0.1 find-uk-health.co.uk
`127.0.0.1 find4u.net
`127.0.0.1 findit-now.com
`127.0.0.1 findthesite.com
`127.0.0.1 findthewebsiteyouneed.com
`127.0.0.1 fionasteel.com
`127.0.0.1 firstbookmark.net
`127.0.0.1 fitness-free.com
`127.0.0.1 foodvacations.net
`127.0.0.1 forex.jps.ru
`127.0.0.1 forexcredit.com
`127.0.0.1 forexcredit.ru
`127.0.0.1 formingfusions.com
`127.0.0.1 forsythfire.net
`127.0.0.1 forthline.com
`127.0.0.1 free-chipes.com
`127.0.0.1 free-f*cking-video.com
`127.0.0.1 free-hit.com
`127.0.0.1 free-pics-and-movies.com
`127.0.0.1 free-sex-movie-clips.net
`127.0.0.1 free4porno.net
`127.0.0.1 free64all.com
`127.0.0.1 freebookmark.net
`127.0.0.1 freebookmarks.net
`127.0.0.1 freecategories.com
`127.0.0.1 freecoolhost.com
`127.0.0.1 freerbhost.com
`127.0.0.1 freeshemalepics.net
`127.0.0.1 freeyaho.com
`127.0.0.1 freshseek.com
`127.0.0.1 freshteensite.com
`127.0.0.1 gabrielscott.com
`127.0.0.1 galpostgirls.com
`127.0.0.1 gals-for-free.com
`127.0.0.1 gambling-online4you.com
`127.0.0.1 gameterror.net
`127.0.0.1 gay50.com
`127.0.0.1 generalsmeltingofcanada.com
`127.0.0.1 geteens.com
`127.0.0.1 getpicshere.com
`127.0.0.1 gimmezamore.com
`127.0.0.1 gimnasiaer.com
`127.0.0.1 girls-porn-life.com
`127.0.0.1 glbdf.org
`127.0.0.1 global-finder.com
`127.0.0.1 globe-finder.cc
`127.0.0.1 globe-finder.com
`127.0.0.1 gocybersearch.com
`127.0.0.1 golftennis.net
`127.0.0.1 good-mortgages-calculator.com
`127.0.0.1 good-mortgages.net
`127.0.0.1 goodsexs.com
`127.0.0.1 googlebar.jps.ru
`127.0.0.1 googlf.com
`127.0.0.1 gradforum.org
`127.0.0.1 gratis-porn-movie.com
`127.0.0.1 gratis-pornopics.com
`127.0.0.1 guzzycats.com
`127.0.0.1 gzphoenix.com
`127.0.0.1 hallnetaccolade.com
`127.0.0.1 hand-book.com
`127.0.0.1 happyanal.com
`127.0.0.1 hard-gals.com
`127.0.0.1 hardbodytgp.com
`127.0.0.1 hardcoreover.com
`127.0.0.1 hardloved.com
`127.0.0.1 hardwareseek.net
`127.0.0.1 harukaigawa.com
`127.0.0.1 hccsolanonapa.org
`127.0.0.1 health-protein.com
`127.0.0.1 hentai4u.net
`127.0.0.1 here4search.com
`127.0.0.1 heyrichy.com
`127.0.0.1 hi-search.com
`127.0.0.1 hiddenguides.com
`127.0.0.1 hitlistlyrics.com
`127.0.0.1 holidayautostr.com
`127.0.0.1 homemortage.ws
`127.0.0.1 hostssp.com
`127.0.0.1 hot-cartoon-sex.anime.american-teens.net
`127.0.0.1 hotbookmark.com
`127.0.0.1 hotels-list.net
`127.0.0.1 hotelxxxcams.com
`127.0.0.1 hotpopup.com
`127.0.0.1 hotsearchbox.com
`127.0.0.1 hotsex-series.com
`127.0.0.1 hotstartpage.com
`127.0.0.1 hqsex.biz
`127.0.0.1 hugeporn4u.net
`127.0.0.1 hunacsa.com
`127.0.0.1 hupacasath.com
`127.0.0.1 hzsx.com
`127.0.0.1 icansearch.net
`127.0.0.1 idgsearch.com
`127.0.0.1 ie-search.com
`127.0.0.1 incestporngate.com
`127.0.0.1 infodigger.net
`127.0.0.1 infoglobus.com
`127.0.0.1 inherhole.com
`127.0.0.1 insertthiscock.com
`127.0.0.1 insurance-flood.net
`127.0.0.1 insuranceall.net
`127.0.0.1 internetsearch.ru
`127.0.0.1 ionichost.com
`127.0.0.1 ionomist.com
`127.0.0.1 ipsex.net
`127.0.0.1 itsanal.com
`127.0.0.1 itseasy.us
`127.0.0.1 iweb-commerce.com
`127.0.0.1 iwebland.com
`127.0.0.1 jeannineoldfield.com
`127.0.0.1 jethomepage.com
`127.0.0.1 jetseeker.com
`127.0.0.1 jmhgallery.org
`127.0.0.1 joannelatham.com
`127.0.0.1 judin.ru
`127.0.0.1 junkysex.com
`127.0.0.1 karleyt.narod.ru
`127.0.0.1 kathisomers.com
`127.0.0.1 kazaa-lite.ws
`127.0.0.1 keithgreenpro.com
`127.0.0.1 kenmccaul.com
`127.0.0.1 kilosex.com
`127.0.0.1 kimhines.com
`127.0.0.1 kinoru.com
`127.0.0.1 ksdspups.org
`127.0.0.1 landrape.com
`127.0.0.1 lauraroebuck.com
`127.0.0.1 leannalovelace.com
`127.0.0.1 lesobank.ru
`127.0.0.1 libertyonlinehosting.com
`127.0.0.1 lingerie-mania.com
`127.0.0.1 lisamatthew.com
`127.0.0.1 liveholio.com
`127.0.0.1 livenewspaper.com
`127.0.0.1 louiseleeds.com
`127.0.0.1 love-pix.com
`127.0.0.1 lovelas.com
`127.0.0.1 lovelysearch.com
`127.0.0.1 low-taxes.com
`127.0.0.1 luckysearch.net
`127.0.0.1 lunitaweb.net
`127.0.0.1 lustful-porno.com
`127.0.0.1 mackinnonsbrook.org
`127.0.0.1 madfinder.com
`127.0.0.1 madisonmoons.com
`127.0.0.1 madisonoilco.com
`127.0.0.1 madonalive.com
`127.0.0.1 majuozawa.com
`127.0.0.1 makin-do.com
`127.0.0.1 male4free.com
`127.0.0.1 map-quest.org
`127.0.0.1 marilynchamber.com
`127.0.0.1 martfinder.com
`127.0.0.1 massearch.com
`127.0.0.1 matetrava.com
`127.0.0.1 mature50.com
`127.0.0.1 matureporngate.com
`127.0.0.1 maxdzines.com
`127.0.0.1 mcgeeforlabor.com
`127.0.0.1 mdstunisie.org
`127.0.0.1 medicare-insurance.net
`127.0.0.1 medicare-supplemental.com
`127.0.0.1 mega-dating-tips.com
`127.0.0.1 megumikanzaki.com
`127.0.0.1 meshalynn.com
`127.0.0.1 meta-adult.com
`127.0.0.1 meta-casino.com
`127.0.0.1 meta-mobile.com
`127.0.0.1 meta-porn.com
`127.0.0.1 metafora.ru
`127.0.0.1 metapoisk.ru
`127.0.0.1 michiyonakajima.com
`127.0.0.1 miconsultamedica.com
`127.0.0.1 mikasakamoto.com
`127.0.0.1 mikoni.com
`127.0.0.1 militarygods.porn4porn.net
`127.0.0.1 millennialpeople.org
`127.0.0.1 mipham.org
`127.0.0.1 missingcommand.com
`127.0.0.1 mommykiss.com
`127.0.0.1 moneyhunters.com
`127.0.0.1 montgomeryhospitalanesthesia.com
`127.0.0.1 morflot.com
`127.0.0.1 mortgage-debt.net
`127.0.0.1 mortismaximus.com
`127.0.0.1 moscowwhores.com
`127.0.0.1 moviecategories.com
`127.0.0.1 mp3-pix.com
`127.0.0.1 mrtg.jps.ru
`127.0.0.1 msn-info.net
`127.0.0.1 multipussy.com
`127.0.0.1 mundopolar.com
`127.0.0.1 mustv.com
`127.0.0.1 mywebsearch.net
`127.0.0.1 nativehardcore.com
`127.0.0.1 naturalspy.com
`127.0.0.1 nbasportsbook.net
`127.0.0.1 needf*cknow.com
`127.0.0.1 nellyslyrics.com
`127.0.0.1 nepgyan.com
`127.0.0.1 nesrecords.com
`127.0.0.1 netshastra.net
`127.0.0.1 nettime.ru
`127.0.0.1 nettracker.jps.ru
`127.0.0.1 netyellowpages.info
`127.0.0.1 new-incest.com
`127.0.0.1 newcategories.com
`127.0.0.1 newcracks.com
`127.0.0.1 newcracks.net
`127.0.0.1 newlife-lajolla.com
`127.0.0.1 newsexgate.com
`127.0.0.1 newtonsracks.com
`127.0.0.1 newxpics.com
`127.0.0.1 nhlsportsbook.net
`127.0.0.1 niagaracapital.com
`127.0.0.1 niche-tv.com
`127.0.0.1 nmrba.com
`127.0.0.1 nocalories.net
`127.0.0.1 nocensor.com
`127.0.0.1 ormandcompany.com
`127.0.0.1 nsbabes.com
`127.0.0.1 nuclearwitness.org
`127.0.0.1 nursemania.com
`127.0.0.1 nvntour.com
`127.0.0.1 nvphall.org
`127.0.0.1 oborot.com
`127.0.0.1 ocalalivestockmarket.com
`127.0.0.1 ocsff.com
`127.0.0.1 oeatlanta.com
`127.0.0.1 oharrowsearch.com
`127.0.0.1 ok-search.com
`127.0.0.1 okulta.com
`127.0.0.1 omegabrains.net
`127.0.0.1 online-casino-1.net
`127.0.0.1 online-casino-bonus.info
`127.0.0.1 online-casinos-x.com
`127.0.0.1 online-winning.net
`127.0.0.1 onlineserverz.com
`127.0.0.1 onlinetradings.net
`127.0.0.1 onlycunt.com
`127.0.0.1 onlyinsured.com
`127.0.0.1 operanabuco.com
`127.0.0.1 opsex.com
`127.0.0.1 oregoncharters.org
`127.0.0.1 otrlives.com
`127.0.0.1 ozawamadoka.com
`127.0.0.1 paigesummer.com
`127.0.0.1 pamelacollections.com
`127.0.0.1 panamcup.com
`127.0.0.1 pantygirls4u.com
`127.0.0.1 pantyhoserealm.com
`127.0.0.1 pantyplace.com
`127.0.0.1 pastubes.com
`127.0.0.1 paulapage.com
`127.0.0.1 paulhoover.com
`127.0.0.1 payfortraffic.net
`127.0.0.1 pedo.ws
`127.0.0.1 people.1gb.ru
`127.0.0.1 pervertbot.com
`127.0.0.1 pharma-diet-pills.com
`127.0.0.1 pharmacy2003.com
`127.0.0.1 pharmalocator.com
`127.0.0.1 phendimetrazine-tenuate-adipex.com
`127.0.0.1 pics-videos.com
`127.0.0.1 picsdir.com
`127.0.0.1 picsforbucks.com
`127.0.0.1 picsofseductiveladies.com
`127.0.0.1 pills-birth-control.com
`127.0.0.1 pillsmall.com
`127.0.0.1 pilotronix.com
`127.0.0.1 pixpox.com
`127.0.0.1 planemusic.com
`127.0.0.1 poiska.net
`127.0.0.1 poker-casino-free.com
`127.0.0.1 poker-games-free.net
`127.0.0.1 polradiologia.com
`127.0.0.1 pooi.net
`127.0.0.1 porn-teacher.com
`127.0.0.1 porncamz.com
`127.0.0.1 pornfree.info
`127.0.0.1 pornnightdreams.com
`127.0.0.1 pornokopec.com
`127.0.0.1 porntetris.com
`127.0.0.1 porntwist.com
`127.0.0.1 powerwebsearch.com
`127.0.0.1 prblitz.com
`127.0.0.1 pretypics.com
`127.0.0.1 pribalt.com
`127.0.0.1 privacy-support.biz
`127.0.0.1 privateporn.net
`127.0.0.1 prostactive.com
`127.0.0.1 prostol.com
`127.0.0.1 protect-yourself.biz
`127.0.0.1 prsainlandempire.org
`127.0.0.1 put-your-link-here.com
`127.0.0.1 pyrocorp.com
`127.0.0.1 quick-search.ws
`127.0.0.1 quiksearchgenealogy.com
`127.0.0.1 radfrall.org
`127.0.0.1 ramgo.com
`127.0.0.1 ranafrog.ne
`127.0.0.1 rapegate.com
`127.0.0.1 redbudbmx.com
`127.0.0.1 refinance-help.com
`127.0.0.1 removeearthkeepers.org
`127.0.0.1 rightfinder.net
`127.0.0.1 robbsproshop.com
`127.0.0.1 robertferencz.com
`127.0.0.1 rotocasters.com
`127.0.0.1 royalsearch.net
`127.0.0.1 runsearch.com
`127.0.0.1 russiansponsor.com
`127.0.0.1 russogay.com
`127.0.0.1 s2.exocrew.com
`127.0.0.1 sacitylife.com
`127.0.0.1 samplegals.com
`127.0.0.1 satisf*cktion.net
`127.0.0.1 sbssurvivor.com
`127.0.0.1 scarypix.com
`127.0.0.1 sccdnet.com
`127.0.0.1 schoolforest.com
`127.0.0.1 search-1.net
`127.0.0.1 search-2003.com
`127.0.0.1 search-about.net
`127.0.0.1 search-hawk.com
`127.0.0.1 search-log.com
`127.0.0.1 search-meta.com
`127.0.0.1 search-safe.com
`127.0.0.1 search.psn.cn
`127.0.0.1 searchadultweb.com
`127.0.0.1 searchbutler.com
`127.0.0.1 searchbuttler.com
`127.0.0.1 searchbutler.org
`127.0.0.1 searchcomplete.com
`127.0.0.1 searchdesire.com
`127.0.0.1 searchdot.net
`127.0.0.1 searchexpander.com
`127.0.0.1 searchfastnet.com
`127.0.0.1 searchforge.com
`127.0.0.1 searching-the-net.com
`127.0.0.1 searchmeta.md
`127.0.0.1 searchmeta.net
`127.0.0.1 searchmeta.ru
`127.0.0.1 searchmeta.webhost.ru
`127.0.0.1 searchnow.ws
`127.0.0.1 searchonfly.com
`127.0.0.1 searchv.com
`127.0.0.1 searchxl.com
`127.0.0.1 searchxp.com
`127.0.0.1 sebot.com
`127.0.0.1 securenp.org
`127.0.0.1 security-warning.biz
`127.0.0.1 seehardcore.com
`127.0.0.1 seekwell.net
`127.0.0.1 selfbookmark.com
`127.0.0.1 selfbookmark.info
`127.0.0.1 selfbookmark.net
`127.0.0.1 sex.free4porno.net
`127.0.0.1 sex-coach.com
`127.0.0.1 sex-festival.com
`127.0.0.1 sex-video-galleries.com
`127.0.0.1 sexgalleries4all.com
`127.0.0.1 sexmoviesnet.com
`127.0.0.1 sexpatriot.net
`127.0.0.1 sexy18.cc
`127.0.0.1 sexycat.adult-host.org
`127.0.0.1 sfbayfolkboats.com
`127.0.0.1 sgirls.net
`127.0.0.1 sharempeg.com
`127.0.0.1 shopcards.net
`127.0.0.1 shopknights.com
`127.0.0.1 sic02.com
`127.0.0.1 sintrader.com
`127.0.0.1 site1.ru
`127.0.0.1 sites-in-web.com
`127.0.0.1 sitevictoria.com
`127.0.0.1 sixroads.com
`127.0.0.1 skakalka.ru
`127.0.0.1 slawsearch.com
`127.0.0.1 slotch.com
`127.0.0.1 smartsumo.com
`127.0.0.1 smutarchive.net
`127.0.0.1 solongas.com
`127.0.0.1 sonomaevents.com
`127.0.0.1 spermatrix.com
`127.0.0.1 sportbooks-free4you.com
`127.0.0.1 spros.com
`127.0.0.1 spyass.com
`127.0.0.1 spyorgy.net
`127.0.0.1 staceyowens.com
`127.0.0.1 stacistaxx.com
`127.0.0.1 stacystaxx.com
`127.0.0.1 start-space.com
`127.0.0.1 steamycock.com
`127.0.0.1 sterva.com
`127.0.0.1 stevecashdollar.com
`127.0.0.1 stop-tracking.biz
`127.0.0.1 stopvotefraud.com
`127.0.0.1 stopxxxpics.com
`127.0.0.1 strekoza.com
`127.0.0.1 stuffstore.com
`127.0.0.1 styleclickink.com
`127.0.0.1 summercollins.com
`127.0.0.1 summitcross.com
`127.0.0.1 super-spider.com
`127.0.0.1 super-websearch.com
`127.0.0.1 supersexmachine.com
`127.0.0.1 superwebsearch.com
`127.0.0.1 supret.com
`127.0.0.1 suzannebrecht.com
`127.0.0.1 sweeteenz.com
`127.0.0.1 tacil.org
`127.0.0.1 tangounion.com
`127.0.0.1 tastethemusic.com
`127.0.0.1 tax-refund4you.com
`127.0.0.1 tech-jobs.ws
`127.0.0.1 technology-related.com
`127.0.0.1 teen-biz.com
`127.0.0.1 teen-pic-post.com
`127.0.0.1 teenpornosex.com
`127.0.0.1 teens4free.net
`127.0.0.1 teensact.com
`127.0.0.1 teensgate.com
`127.0.0.1 teensguru.com
`127.0.0.1 teenswamp.com
`127.0.0.1 testosterone-birth-control.com
`127.0.0.1 the-exit.com
`127.0.0.1 the-huns-yellow-pages.com
`127.0.0.1 thefakejournal.com
`127.0.0.1 thehuy.net
`127.0.0.1 theproxy.org
`127.0.0.1 therealsearch.com
`127.0.0.1 thesten.com
`127.0.0.1 thornleygroup.com
`127.0.0.1 tings.org
`127.0.0.1 tinybar.com
`127.0.0.1 tit-x.com
`127.0.0.1 titanvision.com
`127.0.0.1 titsianna.com
`127.0.0.1 toddhayes.com
`127.0.0.1 toon-comics.com
`127.0.0.1 tooncomics.com
`127.0.0.1 topsearcher.com
`127.0.0.1 trafficback.com
`127.0.0.1 trafficswitcher.com
`127.0.0.1 travel.picture-posters.com
`127.0.0.1 true-counter.com
`127.0.0.1 true-portal.com
`127.0.0.1 trytechnical.com
`127.0.0.1 ufindall.click-now.net
`127.0.0.1 umaxsearch.com
`127.0.0.1 une-autre-france.com
`127.0.0.1 unigays.com
`127.0.0.1 unipages.cc
`127.0.0.1 up2you.ru
`127.0.0.1 urlstat.com
`127.0.0.1 urlstat.ru
`127.0.0.1 uralitel.ru
`127.0.0.1 ursie.net
`127.0.0.1 utahsweet.com
`127.0.0.1 utopicportal.com
`127.0.0.1 uusocialjustice.org
`127.0.0.1 v61.com
`127.0.0.1 vaginpics.com
`127.0.0.1 valmyers.com
`127.0.0.1 vegas-free.com
`127.0.0.1 vegbuy.com
`127.0.0.1 veloventures.com
`127.0.0.1 verzila.com
`127.0.0.1 victoriaadam.com
`127.0.0.1 videocategories.com
`127.0.0.1 vitamins-for-each.com
`127.0.0.1 votehowe.org
`127.0.0.1 vxebony.com
`127.0.0.1 wakeupdick.com
`127.0.0.1 warnomore.org
`127.0.0.1 watersport-specialties.com
`127.0.0.1 web-homepage.net
`127.0.0.1 web-search.tk
`127.0.0.1 webcoolsearch.com
`127.0.0.1 websearchdot.com
`127.0.0.1 weekend-movies.com
`127.0.0.1 wetpornostars.com
`127.0.0.1 whatsyoursearch.com
`127.0.0.1 white-pages.ws
`127.0.0.1 whittierblvd.com
`127.0.0.1 win-in-casino.com
`127.0.0.1 wiresearch.com
`127.0.0.1 wolfpacracing.com
`127.0.0.1 wordlist.jps.ru
`127.0.0.1 wpc2001.org
`127.0.0.1 wspzone.sexpornonline.com
`127.0.0.1 wwwbet.net
`127.0.0.1 wwwbetting.net
`127.0.0.1 wwwpokergames.com
`127.0.0.1 wwwpokerplayers.com
`127.0.0.1 wwwroulette.net
`127.0.0.1 x-library.com
`127.0.0.1 x-webdesign.com
`127.0.0.1 xcomics4u.com
`127.0.0.1 xic-bs.com
`127.0.0.1 xldr.com
`127.0.0.1 xp18.com
`127.0.0.1 xrenosearch.com
`127.0.0.1 xtragay.com
`127.0.0.1 xu.xu.pl
`127.0.0.1 xxxcategories.com
`127.0.0.1 xxxemailxxx.com
`127.0.0.1 y-e-l-l-o-w.com
`127.0.0.1 yellow500.com
`127.0.0.1 yezol.com
`127.0.0.1 you-search.com
`127.0.0.1 you-search.com.ru
`127.0.0.1 youfindall.com
`127.0.0.1 youfindall.net
`127.0.0.1 your-prescriptions.net
`127.0.0.1 yourbookmarks.info
`127.0.0.1 yourbookmarks.ws
`127.0.0.1 ypir.com
`127.0.0.1 ysa-info.net
`127.0.0.1 yukohamano.com
`127.0.0.1 ywebsearch.info
`127.0.0.1 zapros.com
`127.0.0.1 zesearch.com
`127.0.0.1 ziportal.com
`127.0.0.1 zipportal.com
`127.0.0.1 zoneoffreeporn.com
`127.0.0.1 zoomegasite.com
`127.0.0.1 zvimigdal.com
`127.0.0.1 zyban-zocor-levitra.com
`127.0.0.1 t.rack.cc
`127.0.0.1 omega-search.com
`127.0.0.1 cool-xxx.net
`127.0.0.1 revolto3.da.ru
`127.0.0.1 dating-search.net
`127.0.0.1 linksummary.com
`127.0.0.1 duolaimi.net
`127.0.0.1 ez-searching.com
`127.0.0.1 freehqmovies.com
`127.0.0.1 xzoomy.com
`127.0.0.1 freescratchandwin.com
`127.0.0.1 fickenisgeil.de
`127.0.0.1 globalwebsearch.com
`127.0.0.1 www.gocybersearch.com
`127.0.0.1 mayancasino.com
`127.0.0.1 www.hastalavista.com
`127.0.0.1 www.free-popup-killer.com
`127.0.0.1 www.digitalfan.com
`127.0.0.1 google123.web1000.com
`127.0.0.1 search.ieplugin.com
`127.0.0.1 i-lookup.com
`127.0.0.1 spidersearch.com
`127.0.0.1 istarthere.com
`127.0.0.1 xxxtoolbar.com
`127.0.0.1 www.seekporn.org
`127.0.0.1 17-plus.com
`127.0.0.1 lolita4all1.xrensmagpost.com
`127.0.0.1 mafiapics.com
`127.0.0.1 www.teenmonster.com
`127.0.0.1 ie.marketdart.com
`127.0.0.1 masterbar.com
`127.0.0.1 search.netzany.co
`127.0.0.1 only-virgins.com
`127.0.0.1 passthison.com
`127.0.0.1 blondetgp.com
`127.0.0.1 prolivation.com
`127.0.0.1 server-au.imrworldwide.com
`127.0.0.1 .roar.com
`127.0.0.1 rocketsearch.com
`127.0.0.1 searchaccurate.com
`127.0.0.1 searchalot.com
`127.0.0.1 searchandbrowse.com
`127.0.0.1 gtawarehouse.com
`127.0.0.1 startium.com
`127.0.0.1 searchandclick.com
`127.0.0.1 searchby.net
`127.0.0.1 searchdot.com
`127.0.0.1 search-exe.com
`127.0.0.1 secret-crush.com
`127.0.0.1 seekseek.com
`127.0.0.1 sexarena.com
`127.0.0.1 sexocean.play-lolita.com
`127.0.0.1 startsurfing.com
`127.0.0.1 66.197.138.235
`127.0.0.1 srng.net
`127.0.0.1 apps.webservicehost.com
`127.0.0.1 search.shopnav.com
`127.0.0.1 wish7.com
`127.0.0.1 216.65.3.68
`127.0.0.1 www.supersexpass.com
`127.0.0.1 surferbar.com
`127.0.0.1 xlola.underagehost.com
`127.0.0.1 hotlolitas.underagehost.com
`127.0.0.1 loading-lolita.com
`127.0.0.1 www.xupiter.com
`127.0.0.1 xjupiter.com
`127.0.0.1 www.xjupiter.com
`127.0.0.1 www.browserwise.com
`127.0.0.1 sqwire.com
`127.0.0.1 orbitexplorer.com
`127.0.0.1 searchcentrix.com
`127.0.0.1 categories.mygeek.com
`127.0.0.1 web-entrance.co
`127.0.0.1 whazit.com
`127.0.0.1 windowenhancer.com
`127.0.0.1 buz.ru
`127.0.0.1 iwon.com
`127.0.0.1 www.bonzi.com
`127.0.0.1 featured-results.com
`127.0.0.1 searchmadesafe.net
`127.0.0.1 quicklaunch.com
`127.0.0.1 www.cashsurfers.com
`127.0.0.1 .lop.com
`127.0.0.1 .tjdo.com
`127.0.0.1 /tjdo.com
`127.0.0.1 .ebav.com
`127.0.0.1 /ebav.com
`127.0.0.1 .ebgo.com
`127.0.0.1 /ebgo.com
`127.0.0.1 .ebaw.com
`127.0.0.1 /ebaw.com
`127.0.0.1 .ebkb.com
`127.0.0.1 /ebkb.com
`127.0.0.1 .ebmu.com
`127.0.0.1 /ebmu.com
`127.0.0.1 .ecmp.com
`127.0.0.1 /ecmp.com
`127.0.0.1 .edhq.com
`127.0.0.1 /edhq.com
`127.0.0.1 .edty.com
`127.0.0.1 /edty.com
`127.0.0.1 .sbee.com
`127.0.0.1 /sbee.com
`127.0.0.1 .aavc.com
`127.0.0.1 /aavc.com
`127.0.0.1 .acjp.com
`127.0.0.1 /acjp.com
`127.0.0.1 .ecmh.com
`127.0.0.1 /ecmh.com
`127.0.0.1 .emch.com
`127.0.0.1 /emch.com
`127.0.0.1 .ecpm.com
`127.0.0.1 /ecpm.com
`127.0.0.1 .wabu.com
`127.0.0.1 /wabu.com
`127.0.0.1 .wabq.com
`127.0.0.1 .wabq.com
`127.0.0.1 /wabq.com
`127.0.0.1 .ebch.com
`127.0.0.1 /ebch.com
`127.0.0.1 .ebdv.com
`127.0.0.1 /ebdv.com
`127.0.0.1 .ebdw.com
`127.0.0.1 /ebdw.com
`127.0.0.1 .ebjp.com
`127.0.0.1 /ebjp.com
`127.0.0.1 .ebkn.com
`127.0.0.1 /ebkn.com
`127.0.0.1 .ebky.com
`127.0.0.1 /ebky.com
`127.0.0.1 .eblv.com
`127.0.0.1 /eblv.com
`127.0.0.1 .wbkb.com
`127.0.0.1 /wbkb.com
`127.0.0.1 .ebvr.com
`127.0.0.1 /ebvr.com
`127.0.0.1 .ecwz.com
`127.0.0.1 /ecwz.com
`127.0.0.1 .ecyb.com
`127.0.0.1 /ecyb.com
`127.0.0.1 .eduy.com
`127.0.0.1 /eduy.com
`127.0.0.1 .eeev.com
`127.0.0.1 /eeev.com
`127.0.0.1 .farse.com
`127.0.0.1 /farse.com
`127.0.0.1 .ibmx.com
`127.0.0.1 /ibmx.com
`127.0.0.1 .icwb.com
`127.0.0.1 /icwb.com
`127.0.0.1 .icwo.com
`127.0.0.1 /icwo.com
`127.0.0.1 .icwp.com
`127.0.0.1 /icwp.com
`127.0.0.1 .iddh.com
`127.0.0.1 /iddh.com
`127.0.0.1 .idhh.com
`127.0.0.1 /idhh.com
`127.0.0.1 .ifiz.com
`127.0.0.1 /ifiz.com
`127.0.0.1 .iguu.com
`127.0.0.1 /iguu.com
`127.0.0.1 .samz.com
`127.0.0.1 /samz.com
`127.0.0.1 .saoe.com
`127.0.0.1 /saoe.com
`127.0.0.1 .sbjr.com
`127.0.0.1 /sbjr.com
`127.0.0.1 .sbnl.com
`127.0.0.1 /sbnl.com
`127.0.0.1 .sbnt.com
`127.0.0.1 /sbnt.com
`127.0.0.1 .sbvr.com
`127.0.0.1 /sbvr.com
`127.0.0.1 .scbm.com
`127.0.0.1 /scbm.com
`127.0.0.1 .sckr.com
`127.0.0.1 /sckr.com
`127.0.0.1 .scrk.com
`127.0.0.1 /scrk.com
`127.0.0.1 .sdry.com
`127.0.0.1 /sdry.com
`127.0.0.1 .seld.com
`127.0.0.1 /seld.com
`127.0.0.1 .sfux.com
`127.0.0.1 /sfux.com
`127.0.0.1 .sheat.com
`127.0.0.1 /sheat.com
`127.0.0.1 .sipo.com
`127.0.0.1 /sipo.com
`127.0.0.1 .smds.com
`127.0.0.1 /smds.com
`127.0.0.1 .srib.com
`127.0.0.1 /srib.com
`127.0.0.1 .srox.com
`127.0.0.1 /srox.com
`127.0.0.1 .srsf.com
`127.0.0.1 /srsf.com
`127.0.0.1 .ssaw.com
`127.0.0.1 /ssaw.com
`127.0.0.1 .ssby.com
`127.0.0.1 /ssby.com
`127.0.0.1 .surj.com
`127.0.0.1 /surj.com
`127.0.0.1 .tbvg.com
`127.0.0.1 /tbvg.com
`127.0.0.1 .tdak.com
`127.0.0.1 /tdak.com
`127.0.0.1 .tdmy.com
`127.0.0.1 /tdmy.com
`127.0.0.1 .tefs.com
`127.0.0.1 /tefs.com
`127.0.0.1 .tfil.com
`127.0.0.1 /tfil.com
`127.0.0.1 .tjar.com
`127.0.0.1 /tjar.com
`127.0.0.1 .tjaw.com
`127.0.0.1 /tjaw.com
`127.0.0.1 .tjgo.com
`127.0.0.1 /tjgo.com
`127.0.0.1 .tjem.com
`127.0.0.1 /tjem.com
`127.0.0.1 .torc.com
`127.0.0.1 /torc.com
`127.0.0.1 .wfix.com
`127.0.0.1 /wfix.com
`127.0.0.1 .wflu.com
`127.0.0.1 /wflu.com
`127.0.0.1 .tdko.com
`127.0.0.1 /tdko.com
`127.0.0.1 .thko.com
`127.0.0.1 /thko.com
`127.0.0.1 H24413.tfil.com
`127.0.0.1 germany.rub.to
`127.0.0.1 search.rub.to
`127.0.0.1 unitedstates.rub.to
`127.0.0.1 www.commonname.com
`127.0.0.1 www.ezcybersearch.com
`127.0.0.1 www.jethomepage.com
`127.0.0.1 www.gohip.com
`127.0.0.1 hotbar.com
`127.0.0.1 www.huntbar.com
`127.0.0.1 search.imiserver.com
`127.0.0.1 infospace.com/blsrch.dp.toolbar
`127.0.0.1 searchenhancement.com
`127.0.0.1 newtonknows.com
`127.0.0.1 search-explorer.net
`127.0.0.1 searchsquire.com
`127.0.0.1 secondpower.com
`127.0.0.1 2ndpower.com
`127.0.0.1 searchgateway.net
`127.0.0.1 worldusa.com
`127.0.0.1 www.topsearcher.com
`127.0.0.1 smutserver.com
`127.0.0.1 searchmeup.com
`127.0.0.1 cameup.com
`127.0.0.1 kliksearch.com
`127.0.0.1 realphx.com
`127.0.0.1 blazefind.com
`127.0.0.1 66.40.16.198
`127.0.0.1 zoofil.com
`127.0.0.1 terafinder.com
`127.0.0.1 008i.com
`127.0.0.1 171203.com
`127.0.0.1 39-93.com
`127.0.0.1 adult-personal.us
`127.0.0.1 cashsearch.biz
`127.0.0.1 cl55.biz
`127.0.0.1 dailyteenspic.com
`127.0.0.1 dialer2004.com
`127.0.0.1 digital-pornography.com
`127.0.0.1 eager-sex.com
`127.0.0.1 ergosites.com
`127.0.0.1 freecj.com
`127.0.0.1 greg-search.com
`127.0.0.1 incest-host.com
`127.0.0.1 ironcarteam.com
`127.0.0.1 is-best.com
`127.0.0.1 killerpornstars.com
`127.0.0.1 lollitop.com
`127.0.0.1 love-host.com
`127.0.0.1 myexexex.com
`127.0.0.1 my-finder.com
`127.0.0.1 onlineclick.net
`127.0.0.1 onlysex.ws
`127.0.0.1 regfreeze.com
`127.0.0.1 ruworld.com
`127.0.0.1 selltraffic.biz
`127.0.0.1 sexunique.net
`127.0.0.1 sinpussy.com
`127.0.0.1 teenhost.net
`127.0.0.1 ultraload.net
`127.0.0.1 vse-moe.biz
`127.0.0.1 xsex.ws
`127.0.0.1 .75tz.com
`127.0.0.1 /75tz.com
`127.0.0.1 .iefeadsl.com
`127.0.0.1 /iefeadsl.com
`127.0.0.1 /rf104.com
`127.0.0.1 .rf104.com
`127.0.0.1 www.v61.com
`127.0.0.1 .00hq.com
`127.0.0.1 /00hq.com
`127.0.0.1 ads.centralmedia.ws
`127.0.0.1 c.centralmedia.ws
`127.0.0.1 .count.cc
`127.0.0.1 /count.cc
`127.0.0.1 .topx.cc
`127.0.0.1 /topx.cc
`127.0.0.1 www.sidefind.com
`127.0.0.1 thenewsearch.com
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\TASKMAN.EXE
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\UNWISE.EXE
*C:\WINDOWS\UNWISE.EXE
+C:\WINDOWS\System32\WINHLP32.EXE
*C:\WINDOWS\WINHLP32.EXE
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+588=\SystemRoot\System32\smss.exe
+636=\??\C:\WINDOWS\system32\csrss.exe
+660=\??\C:\WINDOWS\system32\winlogon.exe
+708=C:\WINDOWS\system32\services.exe
+720=C:\WINDOWS\system32\lsass.exe
+932=C:\WINDOWS\system32\svchost.exe
+960=C:\WINDOWS\System32\svchost.exe
+1084=C:\WINDOWS\System32\svchost.exe
+1232=C:\WINDOWS\system32\LEXBCES.EXE
+1276=C:\WINDOWS\system32\spoolsv.exe
+1284=C:\WINDOWS\system32\LEXPPS.EXE
+1436=C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
+1456=C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
+1508=C:\WINDOWS\System32\cisvc.exe
+1548=C:\WINDOWS\system32\drivers\KodakCCS.exe
+1556=C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
+1596=c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
+1672=C:\WINDOWS\System32\svchost.exe
+1708=C:\WINDOWS\System32\wdfmgr.exe
+1792=C:\WINDOWS\wanmpsvc.exe
+1836=C:\WINDOWS\System32\MsPMSPSv.exe
+1884=C:\WINDOWS\system32\svchost.exe
+360=c:\PROGRA~1\mcafee.com\vso\mcshield.exe
+1012=C:\WINDOWS\Explorer.EXE
+1540=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
+1604=C:\WINDOWS\system32\dla\tfswctrl.exe
+1660=C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
+1688=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
+1668=C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
+1312=C:\PROGRA~1\mcafee.com\agent\mcagent.exe
+1988=C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
+2052=C:\Program Files\QuickTime\qttask.exe
+2060=C:\Program Files\D-Tools\daemon.exe
+2068=C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
+2088=C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
+2116=c:\progra~1\mcafee.com\vso\mcvsescn.exe
+2248=C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
+2816=C:\WINDOWS\System32\wbem\wmiprvse.exe
+3160=C:\PROGRA~1\COMMON~1\AOL\110859~1\EE\AOLHOS~1.EXE
+3284=C:\PROGRA~1\COMMON~1\AOL\110859~1\EE\AOLServiceHost.exe
+2508=C:\Documents and Settings\Ricky Powell.D38QJP41\My Documents\StartDreck\StartDreck.exe
+2532=C:\Program Files\America Online 9.0b\waol.exe
+2808=C:\Program Files\America Online 9.0b\shellmon.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
 
#8 ·
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


Copy and paste the text below inside the quote box to notepad.
Save it to your desktop as type "all files" and name it notify.bat.


regedit /e notify.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
notify.txt
Then doublclick to run it. It will generate a text file named notify.txt. Copy and paste the contents into your next reply.
 
#9 ·
Here's the Lm2Fix Log


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"ESB{3D97A67C-9551-4104-B187-ABDC96728421}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2F860D81-AF3C-11D4-BDB3-00E0987D8540}"="UltimateZip Shell Extension"
"{2F860D82-AF3C-11D4-BDB3-00E0987D8540}"="UltimateZip Drag Drop Handler"
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}"="aý Context Menu Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{330417E8-EF62-4047-82BE-D8305CEFF572}"="AMEncShlExt extension"
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}"="ICCompPropPage"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

No matches found.
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
tempimg.tmp Thu Jul 28 2005 4:05:50p A.... 3,126 3.05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 3,126 bytes 3.05 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 74F7-81A5

Directory of C:\WINDOWS\System32

07/28/2005 04:13 PM <DIR> DLLCACHE
07/28/2005 03:36 PM 6,144 access.ctl
06/14/2005 05:45 PM 0 tnuoccAelbuoDuM.dat
06/14/2005 05:35 PM 32 tnuoccAelbuoDuM.le
01/12/2005 06:45 PM <DIR> Microsoft
12/07/2004 04:57 PM 10,022 KGyGaAvL.sys
10/20/2004 02:53 PM 512 GnsDj.b90
5 File(s) 16,710 bytes
2 Dir(s) 110,174,613,504 bytes free




And Here's the notify.txt


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
 
#10 · (Edited)
Ok...let's try this...

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Now...In normal windows run hijackthis and fix the following entrys..

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sandboxer.com/redirect.a...W4A7HBFG5KPNZQ8
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll


Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES

C:\WINDOWS\System32\resg.dll

Once you reboot.....

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Select the “Autofix/Clean” option and save the activescan log. Then post that log in your next post along with a new hijackthis log.

*Note*

SpywareRemover............. This is a rouge and suspect program but as far as I know doesn't "Stealth" install or prevent you from removing it. You could try the Windows installer clean up utility, as it may be just Windows installer that has got an issue. That program is pretty much garbage so it may be poorly installed...so that windows can't uninstall it correctly.

http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
 
#11 ·
Ok, when I ran the scan at Panda I didn't see an Autofix/Clean option. But here's the log.



Incident Status Location

Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\ATMPVCNO.exe
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
Adware:adware/startpage.aao No disinfected C:\WINDOWS\SYSTEM32\memtest32.sys
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/statblaster No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WildApp.inf
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.inf
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\bargain3.exe
Adware:adware/ieplugin No disinfected C:\WINDOWS\rgrt.exe
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/startpage.ccm No disinfected C:\WINDOWS\win32.dat
Adware:adware/apropos No disinfected C:\PROGRAM FILES\CxtPls
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM32\AdCache
Adware:adware/wintools No disinfected Windows Registry
Dialer:Dialer.BEW No disinfected C:\Documents and Settings\don powell\Local Settings\Temporary Internet Files\Content.IE5\4FHF2E7T\fr[1].htm
Adware:Adware/nCase No disinfected C:\Documents and Settings\don powell\Local Settings\Temporary Internet Files\Content.IE5\4VF3YWT5\prompt_ie_win[1].js
Adware:Adware/WUpd No disinfected C:\Documents and Settings\don powell\Local Settings\Temporary Internet Files\Content.IE5\55V4PIHF\restore[1].htm
Dialer:Dialer.BEW No disinfected C:\Documents and Settings\don powell\Local Settings\Temporary Internet Files\Content.IE5\LW8FHLKD\fr[1].htm
Adware:Adware/nCase No disinfected C:\Documents and Settings\don powell\Local Settings\Temporary Internet Files\Content.IE5\Q18F6X25\init[1].js
Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\don powell\Local Settings\Temporary Internet Files\Content.IE5\UFMZEDUF\m[1].bin
Adware:Adware/WUpd No disinfected C:\Documents and Settings\felicia powell\Local Settings\Temporary Internet Files\Content.IE5\WHQFWXIN\lifegoeson[1].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Ricky Powell.D38QJP41\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLIN\marketing48[1].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Ricky Powell.D38QJP41\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\marketing61[1].htm
Hacktool:Hacktool/Processor No disinfected C:\Hijack This\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000263.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000268.exe
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000378.exe[Process.exe]
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM32\ADSNT658.exe
Adware:Adware/IEDriver No disinfected C:\WINDOWS\SYSTEM32\ATMPVCNO.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINDOWS\SYSTEM32\BROWSEWM.exe
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\SYSTEM32\Process.exe

And here's the new HJT log


Logfile of HijackThis v1.99.1
Scan saved at 11:22:40 AM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\COMMON~1\AOL\110859~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110859~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\America Online 9.0b\waol.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.gmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristontale.com/autorun/pristontale.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
#12 ·
Ok, when I ran the scan at Panda I didn't see an Autofix/Clean option. But here's the log.
Look closer..it's there. To many entrys to remove manually...


Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.
 
#13 · (Edited)
Basically, you want me to include both logfiles here, even though you only need the second. Well, here ya go. Oh, the Windows Installer Clea-up Utility did fix the SpywareRemover Problem, thnx.

First Scan

Started Scanning
Internet Cookies
Found 'atwola.com' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'trafficmp.com' in 'Internet Explorer Cache'
Found 'burstnet.com' in 'Internet Explorer Cache'
Found 'exitexchange.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'edge.ru4.com' in 'Internet Explorer Cache'
Found 'about.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'maxserving.com' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Found 'www.burstbeacon.com' in 'Internet Explorer Cache'
Found 'com.com' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Morpheus'
Found '' in 'Software\KaZaA\CloudLoad'
Found '' in 'Software\KaZaA\ConnectionInfo'
Found '' in 'Software\KaZaA\LocalContent'
Found '' in 'SOFTWARE\Classes\ed2k'
Found '' in 'SOFTWARE\Classes\ed2k\DefaultIcon'
Found '' in 'SOFTWARE\Classes\ed2k\shell\open\command'
Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}'
Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\InProcServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\ProgID'
Found '' in 'SOFTWARE\Classes\GnucDNA.Core'
Found '' in 'SOFTWARE\Classes\GnucDNA.Core\CLSID'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}'
Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\TypeLib'
Found '' in 'Software\Kazaa'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\D:\InstallShield\Kazaa\kazaa.exe'
Found '' in 'SOFTWARE\Altnet'
Found '' in 'SOFTWARE\Altnet\Dashboard'
Found '' in 'SOFTWARE\Classes\Morpheus.File\DefaultIcon'
Found '' in 'SOFTWARE\Classes\Morpheus.File\shell\open\command'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\PerfectNav'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found '' in 'SOFTWARE\Classes\AppID\DMServer.EXE'
Found '' in 'SOFTWARE\Classes\Interface\{04D7391C-AB32-4921-84F3-B63FC0EEDF43}'
Found '' in 'SOFTWARE\Classes\Interface\{04D7391C-AB32-4921-84F3-B63FC0EEDF43}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{04D7391C-AB32-4921-84F3-B63FC0EEDF43}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{04D7391C-AB32-4921-84F3-B63FC0EEDF43}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{09F19D39-3084-47B0-B1CE-26581074BC36}'
Found '' in 'SOFTWARE\Classes\Interface\{09F19D39-3084-47B0-B1CE-26581074BC36}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{09F19D39-3084-47B0-B1CE-26581074BC36}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{09F19D39-3084-47B0-B1CE-26581074BC36}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{2CEC1D83-1F31-41A7-B2BC-A2FE25E3BF34}'
Found '' in 'SOFTWARE\Classes\Interface\{2CEC1D83-1F31-41A7-B2BC-A2FE25E3BF34}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{2CEC1D83-1F31-41A7-B2BC-A2FE25E3BF34}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{2CEC1D83-1F31-41A7-B2BC-A2FE25E3BF34}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{41943AC1-46DC-41EF-A365-713C14C50A06}'
Found '' in 'SOFTWARE\Classes\Interface\{41943AC1-46DC-41EF-A365-713C14C50A06}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{41943AC1-46DC-41EF-A365-713C14C50A06}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{41943AC1-46DC-41EF-A365-713C14C50A06}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{439508F6-E48B-4095-B000-ADC7A02AB29E}'
Found '' in 'SOFTWARE\Classes\Interface\{439508F6-E48B-4095-B000-ADC7A02AB29E}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{439508F6-E48B-4095-B000-ADC7A02AB29E}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{439508F6-E48B-4095-B000-ADC7A02AB29E}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{4E86A93F-4E89-45FD-866B-80D25B0F21A6}'
Found '' in 'SOFTWARE\Classes\Interface\{4E86A93F-4E89-45FD-866B-80D25B0F21A6}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{4E86A93F-4E89-45FD-866B-80D25B0F21A6}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{4E86A93F-4E89-45FD-866B-80D25B0F21A6}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D}'
Found '' in 'SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956}'
Found '' in 'SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C7E7863D-2EF7-46F9-A2C2-DD08B2B3C0A5}'
Found '' in 'SOFTWARE\Classes\Interface\{C7E7863D-2EF7-46F9-A2C2-DD08B2B3C0A5}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C7E7863D-2EF7-46F9-A2C2-DD08B2B3C0A5}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C7E7863D-2EF7-46F9-A2C2-DD08B2B3C0A5}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{CA74A032-869B-4752-927E-D0DA5677DC23}'
Found '' in 'SOFTWARE\Classes\Interface\{CA74A032-869B-4752-927E-D0DA5677DC23}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{CA74A032-869B-4752-927E-D0DA5677DC23}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{CA74A032-869B-4752-927E-D0DA5677DC23}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544}'
Found '' in 'SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544}\TypeLib'
Found '' in 'SOFTWARE\Classes\AppID\{C630FBBF-E340-49DF-B4CB-06FB9EE34BB6}'
Found '' in 'SOFTWARE\Classes\AppID\DeskBandSearch.DLL'
Found '' in 'SOFTWARE\Classes\CLSID\{2AE38A2D-371B-42F3-B803-9F6D669A411B}'
Found '' in 'SOFTWARE\Classes\TypeLib\{DD95F7E2-D1E5-4572-8D89-11FDE5F68C30}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{DD95F7E2-D1E5-4572-8D89-11FDE5F68C30}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{DD95F7E2-D1E5-4572-8D89-11FDE5F68C30}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{DD95F7E2-D1E5-4572-8D89-11FDE5F68C30}\1.0\HELPDIR'
Found 'PMversion' in 'SOFTWARE\Altnet\Dashboard'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'DatabaseDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'FirewallStatus' in 'SOFTWARE\Kazaa'
Found 'ListenPort' in 'SOFTWARE\Kazaa'
Found 'my_ip_address' in 'SOFTWARE\Kazaa'
Found 'network_config' in 'SOFTWARE\Kazaa'
Found 'Tmp' in 'SOFTWARE\Kazaa'
Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa'
Found 'UDP_receive_status' in 'SOFTWARE\Kazaa'
Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'ShareDir' in 'SOFTWARE\Kazaa\CloudLoad'
Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo'
Found 'UID' in 'SOFTWARE\PerfectNav'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Classes\Interface\{BE45F056-E005-437B-BE88-23ACF70B0B6A}'
Found '' in 'SOFTWARE\Classes\Interface\{A916AF3C-976D-4358-8736-95BEA0B5FD2C}'
Found '' in 'SOFTWARE\Desktop'
Found '' in 'Interface\{851F86C9-D3CC-4574-93F5-40E2D65159E4}'
Found '' in 'SOFTWARE\Classes\Interface\{851F86C9-D3CC-4574-93F5-40E2D65159E4}'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Program Files\CxtPls'
Found 'UninstallLib.exe' in 'C:\Program Files\FlashGet'
Found 'WildApp.inf' in 'C:\WINDOWS\Downloaded Program Files'
Found 'GPInstall.exe' in 'C:\WINDOWS'
Found 'ASFERROR.exe' in 'C:\WINDOWS\SYSTEM32'
Found 'GnucDNA.dll' in 'C:\WINDOWS\SYSTEM32'
Found 'wintsu.exe' in 'C:\WINDOWS\SYSTEM32'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to backup the item 'C:\Program Files\CxtPls\ace.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\atl.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\CxtPls.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\CxtPls.exe'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\data.bin'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\libexpat.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\ProxyStub.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\uninstaller.exe'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\WinGenerics.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SOFTWARE\Altnet'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SOFTWARE\Altnet\Dashboard'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'. Error=5.
Checking for 'C:\Program Files\CxtPls' in shortcut areas.
Checking for 'C:\Program Files\CxtPls' in startup areas.
Cleaning 'C:\Program Files\CxtPls'
Checking for 'C:\Program Files\CxtPls\data.bin' in shortcut areas.
Checking for 'C:\Program Files\CxtPls\data.bin' in startup areas.
Cleaning 'C:\Program Files\CxtPls\data.bin'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\CxtPls' requires a reboot.
Checking for 'C:\Program Files\FlashGet\UninstallLib.exe' in shortcut areas.
Checking for 'C:\Program Files\FlashGet\UninstallLib.exe' in startup areas.
Cleaning 'C:\Program Files\FlashGet\UninstallLib.exe'
Checking for 'C:\WINDOWS\Downloaded Program Files\WildApp.inf' in shortcut areas.
Checking for 'C:\WINDOWS\Downloaded Program Files\WildApp.inf' in startup areas.
Cleaning 'C:\WINDOWS\Downloaded Program Files\WildApp.inf'
Checking for 'C:\WINDOWS\GPInstall.exe' in shortcut areas.
Checking for 'C:\WINDOWS\GPInstall.exe' in startup areas.
Cleaning 'C:\WINDOWS\GPInstall.exe'
Checking for 'C:\WINDOWS\SYSTEM32\ASFERROR.exe' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM32\ASFERROR.exe' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM32\ASFERROR.exe'
Checking for 'C:\WINDOWS\SYSTEM32\GnucDNA.dll' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM32\GnucDNA.dll' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM32\GnucDNA.dll'
Checking for 'C:\WINDOWS\SYSTEM32\wintsu.exe' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM32\wintsu.exe' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM32\wintsu.exe'
Finished Cleaning










Second Scan

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Altnet'
Found '' in 'SOFTWARE\Altnet\Dashboard'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Program Files\CxtPls'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000 for restore. [SCANMODS] Error=5.
Unable to backup the item 'C:\Program Files\CxtPls\ace.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\atl.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\CxtPls.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\CxtPls.exe'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\libexpat.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\ProxyStub.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\uninstaller.exe'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'C:\Program Files\CxtPls\WinGenerics.dll'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SOFTWARE\Altnet'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SOFTWARE\Altnet\Dashboard'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'. Error=5.
Checking for 'C:\Program Files\CxtPls' in shortcut areas.
Checking for 'C:\Program Files\CxtPls' in startup areas.
Cleaning 'C:\Program Files\CxtPls'
[SCANMODS] WARNING: Deletion of the file 'C:\Program Files\CxtPls' requires a reboot.
Finished Cleaning
 
#14 ·
Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

ONce back to normal windows....

Run another Panda scan (look for the AutoFix/Clean Option) and post that log along with another hijackthis log and the log from the Ewido scan. We can then remove the rest manually..

So I need...

Ewido log
Panda Scan log
Hijackthis log
 
#15 ·
I searched everywhere for the AutoFix/Clean option, but still didn't find it, so i checked the FAQ, and found this
"Panda ActiveScan automatically disinfects the infected files. This will be carried out in the background, without you having to do anything else"
Here's the log of it.


Incident Status Location

Hacktool:Hacktool/Processor No disinfected C:\Hijack This\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000263.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000268.exe
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000378.exe[Process.exe]
Possible Virus. No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0001220.dll
Spyware:Spyware/UrlSpy No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0001545.exe
Spyware:Spyware/UrlSpy No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0001546.exe
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\bargain3.exe
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.inf
Adware:adware/ieplugin No disinfected C:\WINDOWS\rgrt.exe
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/IEDriver No disinfected C:\WINDOWS\SYSTEM32\ATMPVCNO.exe
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
Adware:adware/startpage.aao No disinfected C:\WINDOWS\SYSTEM32\memtest32.sys
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\SYSTEM32\Process.exe
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/startpage.ccm No disinfected C:\WINDOWS\win32.dat



Here's the ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:13:32 PM, 8/8/2005
+ Report-Checksum: B12DE8B6

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{69135BDE-5FDC-4B61-98AA-82AD2091BCCC} -> Spyware.IEPlugin : Error during cleaning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -> Spyware.BargainBuddy : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@a-1shz2prbmdj6wvny-1sez2pra2dj6wjkyemcpgaqa-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@cz8.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@cz9.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@e-2dj6wfkichdzegp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@e-2dj6wfliqkdjocp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@e-2dj6wfmigmajkaq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@e-2dj6wjkoaidzcko.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@e-2dj6wjkowkazigo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@e-2dj6wjl4epazkho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@e-2dj6wjnyoldjgkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@programs.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@vip.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4oiazedpwwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4uoczwbow2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoaidzckogmdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkocgczacpwwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiggcpalowsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Cookies\don powell@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiwmd5ogqq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~745107.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~756224.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~764142.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~769497.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~771353.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~772930.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~774281.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~775071.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~790243.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~793750.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~801657.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~815778.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~819864.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~823957.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~830246.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~833287.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~833443.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~834412.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~845971.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~846879.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~846934.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~847552.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~848033.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~853036.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~859685.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~867317.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~868492.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~868755.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~877953.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~884707.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~890166.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~890451.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~891295.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~897340.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~902987.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~903021.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~904757.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~915917.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~916197.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~920125.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temp\~961070.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\don powell\Local Settings\Temporary Internet Files\Content.IE5\UFMZEDUF\m[1].bin -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\felicia powell\Cookies\felicia powell@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\felicia powell\Cookies\felicia powell@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\felicia powell\Cookies\felicia powell@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\felicia powell\Cookies\felicia powell@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\felicia powell\Cookies\felicia powell@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\felicia powell\Local Settings\Temp\~421766.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\felicia powell\Local Settings\Temp\~483279.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\felicia powell\Local Settings\Temp\~897344.tmp -> Spyware.Wintools : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@ad.adocean[1].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@e-2dj6wfkiegdzofp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@e-2dj6wjkyoodjwbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@e-2dj6wjmiegczako.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@e-2dj6wjny-1jdzig.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@e-2dj6wjnyomazohp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@e-2dj6wjnyopaziko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@gde.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Ricky Powell.D38QJP41\Cookies\ricky powell@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_0_445800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_0_445900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_0_446000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_506300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_506300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_514900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_514900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_515000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_515000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_515400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_515400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_516700.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_523900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_523900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_524400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_524400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_533600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_533600.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_534300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_534300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_535300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_535300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_536300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_536300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_547400.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_549600.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_551200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_551200.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_560400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_560400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_562000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_562000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_562700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_562700.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_566800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_566800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_567900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_567900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_579800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_579800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_586000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_586000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_588400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_588400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_590300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_590300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_593100.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_593900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_593900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_598200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_598200.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_598700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_598700.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_598800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_598800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_599100.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_599100.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_600800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_600800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_609800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_609800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_611600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_611600.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_622100.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_623600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_623600.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_625700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_625700.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_628800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_628800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_629900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_629900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_631500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_631500.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_632000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_632000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_632500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_632500.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_632700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_632700.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_635500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_635500.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_636800.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_656500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_656500.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_658500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_659200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_659200.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_659300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_659300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_677200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_737400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_737400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_759800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_1_759800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_4_445800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_4_445900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_0_4_446000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_1_0_448500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_1_0_448600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_1_0_453800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_0_447600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_0_447700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_0_453200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_0_526700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_0_573300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_0_814200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_0_815600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_0_815900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_512500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_523400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_523400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_542900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_542900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_544800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_544800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_549800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_550600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_558300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_567000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_567000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_567600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_567600.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_573300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_575300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_575300.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_579900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_579900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_581800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_588200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_593000.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_593000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_597400.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_597400.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_597900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_597900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_601500.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_601500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_609200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_609200.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_613200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_613200.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_621200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_621200.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_622700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_622700.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_623000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_623000.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_638800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_638800.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_656600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_656600.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_657100.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_657100.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_658600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_658600.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_658900.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_658900.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_662100.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_662100.swf -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_683100.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_1_683100.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_2_504300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_2_515500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_2_546500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_2_593000.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_2_593000.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_2_602800.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_2_683100.gif -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_2_683100.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_3_504300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_4_447600.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_4_447700.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_4_453200.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_4_510300.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\AdCache\B_434_2_4_546500.htm -> Adware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM32\ADSNT658.exe -> Spyware.UrlSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\BROWSEWM.exe -> Spyware.UrlSpy : Cleaned with backup


::Report End





and the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 3:12:19 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\America Online 9.0b\waol.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - ReadMe-BHODemon - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristontale.com/autorun/pristontale.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
#16 ·
Download and update the databases on each program before running.

Make sure you run ALL those programs!

DISCONNECT this PC from any internet access.

Run hijackthis and fix the following entrys.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - ReadMe-BHODemon - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} -
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll


Run Cleanup and reboot/logoff when prompted. Reboot into safe mode.

C:\WINDOWS\SYSTEM32\AdCache<--delete that folder.


Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following key.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

ONce your in that Windows folder..look at the entrys listed in the right pane and find this entry if listed... Name=AppInit_DLLs and Data=resg.dll

Highlight the AppInit_DLLs entry that contains that resg.dll file right click...and delete it. If it's NOT listed...let me know..as if it's hidden...we will have to use another program to try and remove it.

Close regedit

Run another Ewido scan and let it clean the PC.

Run Hijackthis again...and recheck those entrys.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\System32\resg.dll
C:\WINDOWS\bargain3.exe
C:\WINDOWS\INF\dm.inf
C:\WINDOWS\rgrt.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\SYSTEM32\ATMPVCNO.exe
C:\WINDOWS\SYSTEM32\INNERVBINSTALL.LOG
C:\WINDOWS\SYSTEM32\memtest32.sys
C:\WINDOWS\SYSTEM32\Process.exe
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\win32.dat


Once you reboot...run the Cleanup Utility again. Then RECONNECT your internet connection and post another Panda scan and hijackthis log.

Let me know about that AppInit_DLLs/resg.dll in the registry and if you were able to delete it...or you got an error or it wasn't there!
 
#17 ·
The AppInt_DLLs was there, but the data part didn't have resg.dll so i left it there.



Here's the panda log


Incident Status Location

Hacktool:Hacktool/Processor No disinfected C:\Hijack This\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000263.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000268.exe
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000378.exe[Process.exe]
Possible Virus. No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0001220.dll
Adware:Adware/IEDriver No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002171.exe
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002173.exe
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.PNF





And the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:51:46 PM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\America Online 9.0b\waol.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristontale.com/autorun/pristontale.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
#18 ·
Ok..

I think it's there...but it's being hidden. Lets try this...

Download and install Registrar Lite

1. Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under the programs section of your Start Menu.

2. Once registrar lite is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and press the enter key on your keyboard.

3. You will now be presented with new information in the bottom right and left sections and on the right section and the key called AppInit_DLLs should be highlighted. If the entry is there and contains resg.dll in the data field..right click it..and delete it.

Let me know.

C:\WINDOWS\System32\resg.dll <--can you manually find that file??

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\resg.dll/a h > files.txt
notepad files.txt
Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad text.
 
#19 ·
Registrar Lite found the ApptIntDLLs and the data was resg.dll so i deleted it. And yes I can manually find resg.dll.



And here's the findfile.txt you asked for too.

Volume in drive C has no label.
Volume Serial Number is 74F7-81A5

Directory of C:\WINDOWS\system32

04/19/2004 08:40 PM 57,344 resg.dll
1 File(s) 57,344 bytes

Directory of C:\Documents and Settings\Ricky Powell.D38QJP41\Desktop
 
#20 ·
Freek'en DLL...lol

Ok...

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Go back into Reglite and make sure that DLL's entry has been deleted. If so...close reglite. Run hijackthis and fix these entrys (IF it's there)..

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll



Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES.

C:\WINDOWS\System32\resg.dll

Once you reboot..post another hijackthis log.
 
#21 ·
Here ya go


Logfile of HijackThis v1.99.1
Scan saved at 10:20:13 AM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\America Online 9.0b\waol.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files\Shareaza\Plugins\RazaWebHook.dll/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/dev/code/IE_1070/DownloadManager.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {62CE3CBC-B889-423A-9457-2FE7A731BBD8} (UpdateStart Class) - http://eng.pristontale.com/autorun/pristontale.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4371/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\resg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
#22 · (Edited)
Did you run the CWShredder tool? If not...do so.

Use a zipping Utility like Winzip..... Zip up this file and attach it to your next post so I can take a look at it.

C:\WINDOWS\System32\resg.dll


Also give me these logs..

Download DLLCompare http://downloads.subratam.org/DllCompare.exe

Please put it in a folder on the root drive (C:\)
Click the Run locate.com button
When the scan is complete click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete.
Click the button Make a Log of what was Found

Post that log.

**Note** Only if you get an error after pressing Run Locate.com:
Copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder
..

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!



Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
DllCompare
 
#23 ·
here's the DLLCompare one

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\nticdm~1.dll Tue Sep 21 2004 6:12:00p ...HR 1,024 1.00 K
C:\WINDOWS\SYSTEM32\ntimpeg2.dll Tue Sep 14 2004 5:51:30p ...HR 1,024 1.00 K
________________________________________________

1,329 items found: 1,329 files (2 H/S), 0 directories.
Total of file sizes: 260,709,214 bytes 248.63 M

Administrator Account = True

AppInit_DLLs value = C:\WINDOWS\System32\resg.dll (not hidden)
--------------------End log---------------------






Here's WinPFind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
PEC2 9/16/2004 6:06:08 PM 4639053 C:\crash.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe
UPX! 8/8/2005 12:11:24 PM 162304 C:\WINDOWS\CleanUpUninstall.exe
UPX! 8/22/2004 5:04:56 PM 69120 C:\WINDOWS\daemon.dll

Checking %System% folder...
UPX! 7/18/2004 9:07:56 PM 9728 C:\WINDOWS\SYSTEM32\authz.exe
PEC2 8/29/2002 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
Umonitor 8/29/2002 4:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 8/29/2002 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder for system and hidden files within the last 60 days...
7/28/2005 11:44:20 AM 54156 C:\WINDOWS\QTFont.qfn
7/28/2005 3:36:22 PM 6144 C:\WINDOWS\SYSTEM32\access.ctl
6/14/2005 5:45:42 PM 0 C:\WINDOWS\SYSTEM32\tnuoccAelbuoDuM.dat
6/14/2005 5:35:28 PM 32 C:\WINDOWS\SYSTEM32\tnuoccAelbuoDuM.le
8/12/2005 9:51:30 AM 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
8/12/2005 9:52:00 AM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
8/12/2005 9:51:40 AM 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
8/12/2005 9:52:48 AM 114688 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
8/12/2005 9:51:38 AM 1052672 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/11/2005 8:59:38 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\05221fc8-72ee-48da-bb74-1dec3df2d110
12/31/2099 5:47:06 PM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\93537665-1625-4238-8c51-ee2f444d3343
7/11/2005 8:59:38 PM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
8/12/2005 9:50:34 AM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
ESB{3D97A67C-9551-4104-B187-ABDC96728421} =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = C:\Program Files\SpywareGuard\spywareguard.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\UltimateZip
{2F860D81-AF3C-11D4-BDB3-00E0987D8540} = C:\PROGRA~1\ULTIMA~1.7\uzshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BPS.Spyware.Adware.Remover
{7306D133-DBED-4096-84A3-8B98B23F02B4} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UltimateZip
{2F860D81-AF3C-11D4-BDB3-00E0987D8540} = C:\PROGRA~1\ULTIMA~1.7\uzshlex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EEDB912-C5FA-486F-8334-57288578C627}
Shareaza Web Download Hook = C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B930BA63-9E5A-11D3-A288-0000E80E2EDE}
IECatcher Class = C:\Program Files\Mass Downloader\MDHELPER.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = AOL Toolbar : C:\Program Files\AOL Toolbar\toolbar.dll
{E0E899AB-F487-11D5-8D29-0050BA6940E3} = FlashGet Bar : C:\PROGRA~1\FlashGet\fgiebar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray C:\WINDOWS\System32\igfxtray.exe
IntelMeM C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
dla C:\WINDOWS\system32\dla\tfswctrl.exe
StorageGuard "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
Dell AIO Printer A920 "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
AOL Spyware Protection "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
DXM6Patch_981116 C:\WINDOWS\p_981116.exe /Q:A
Pure Networks Port Magic "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ElbyCheckElbyCDFL "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sonic RecordNow!
AOLCC "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs C:\WINDOWS\System32\resg.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/12/2005 9:57:56 AM





And here's the Trak qoo one

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"DXM6Patch_981116"="C:\\WINDOWS\\p_981116.exe /Q:A"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ElbyCheckElbyCDFL"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- UltimateZip
{2F860D81-AF3C-11D4-BDB3-00E0987D8540}
C:\PROGRA~1\ULTIMA~1.7\uzshlex.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {CFC7205E-2792-4378-9591-3879CC6C9022}

c:\progra~1\mcafee.com\vso\mcvsshl.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
==============================
C:\Documents and Settings\Ricky Powell.D38QJP41\Start Menu\Programs\Startup

DESKTOP.INI
DESKTOP.INI
SpywareGuard.lnk
==============================
C:\WINDOWS\SYSTEM32 cpl files


ACCESS.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
B57exp.cpl Broadcom Corporation
BDEADMIN.CPL Borland Software Corporation
cpl_moh.cpl
DESK.CPL Microsoft Corporation
HDWWIZ.CPL Microsoft Corporation
igfxcpl.cpl Intel Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
jpicpl32.cpl Sun Microsystems
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NCPA.CPL Microsoft Corporation
NUSRMGR.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation




And i can't zip the resg.dll because it's protected(and yes i've run CWShredder several times, and i upate before each time, and i'm not connected to the internet when i run it).
 
#24 ·
C:\WINDOWS\SYSTEM32\authz.exe <--delete that file.

Right click on the resg.dll file and check it's properties. See if it lists the program it belongs to. Also on the "General" tab..uncheck the "Read Only" or "Hidden" if it's checkmarked. Copy the file to a new location...then zip it up and send it. If that doesn't work....see if you can rename the file to resg.txt and post that.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top