looots of adware/spyware keep coming all due to a bad windows media player link

compgeek · 07-06-2005, 06:07 PM

bad windows media player link caused ads to keep appearing after each reboot. I used ad aware and spybot but yet after each reboot something triggers them all over again.

please help

thank you.

Herk · 07-06-2005, 06:48 PM

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Please download HijackThis http://www.greyknight17.com/spy/HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

compgeek · 07-10-2005, 01:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:26:59 PM, on 7/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\RRRKAU.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrrkau.exe reg_run
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - HKCU\..\Run: [Rrsu] C:\Program Files\tarc\cire.exe
O4 - HKCU\..\Run: [Cytoa] \kkmvhhzr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunServices: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - HKCU\..\RunServices: [Rrsu] C:\Program Files\tarc\cire.exe
O4 - HKCU\..\RunServices: [Cytoa] \kkmvhhzr.exe
O4 - HKCU\..\RunServices: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunOnce: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - Startup: nnnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

sUBs · 07-10-2005, 02:19 PM

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!.
If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it.

From Windows Explorer, Click on drive C:
Click on File>New>Folder
Call it HJT, or any other name of your choice.
Move all files to the newly created folder

~~~~~~~~~~~~~~

Please download these additional files/programs :- (Do not run them unless instructed to do so)
Unplug your computer from the Internet when you have finished downloading

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

Download & RUN FxIeplgn.exe

Download & RUN FxWebsch.exe

~~~~~~~~~~~~~~

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

CashBack
NaviSearch
BullsEye Network
E2Give Browser Add On
Bargain Buddy
HuntBar

~~~~~~~~~~~~~~

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINDOWS\RRRKAU.EXE
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTB.DLL
C:\Program Files\E2G\IeBHOs.dll
C:\WINDOWS\SYSTEM\MSBE.DLL
C:\WINDOWS\SYSTEM\NVMS.DLL
C:\WINDOWS\SYSTEM\MSCB.DLL
C:\WINDOWS\wupdt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
c:\windows\system\dlylygu.exe
C:\WINDOWS\SYSTEM\UPDTUP.exe
C:\Program Files\tarc\cire.exe
c:\windows\system\kkmvhhzr.exe
c:\windows\kkmvhhzr.exe
C:\Program Files\Cas\Client\casclient.exe
c:\Windows\Start Menu\Programs\Startup\nnnd.exe
C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

Start KillBox

Go to the File menu, and choose [Paste from Clipboard].
Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
Select/tick the following:
- "Delete on Reboot"
- "End Explorer Shell While Killing File"
- "Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.
Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

~~~~~~~~~~~~~~

Reboot to SafeMode

Shut Windows down, and then turn off the computer.
Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
Windows Advanced Options menu appears.
Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

~~~~~~~~~~~~~~

Enable the viewing of Hidden files

Double-click on the My Computer icon.
Select the View menu and then click Folder Options.
After the new window appears select the View tab.
Scroll down until you see the Show all files radio button and select it.
Press the Apply button and then the OK button and close the My Computer window.
Now your computer is configured to show all hidden files.

Locate and delete the following folder(s), if present:

C:\Program Files\E2G\
C:\Program Files\BullsEye Network\
C:\Program Files\NaviSearch\
C:\Program Files\CashBack\
C:\Program Files\tarc\
C:\Program Files\Cas\

Search for & delete ... using "Start>Search..." the following file(s), if present:

nnnd.exe
kkmvhhzr.exe

~~~~~~~~~~~~~~

Run Cleanup! & configure the program as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

~~~~~~~~~~~~~~

Reboot to Normal Mode

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrrkau.exe reg_run
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe
O4 - HKCU\..\Run: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - HKCU\..\Run: [Rrsu] C:\Program Files\tarc\cire.exe
O4 - HKCU\..\Run: [Cytoa] \kkmvhhzr.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunServices: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - HKCU\..\RunServices: [Rrsu] C:\Program Files\tarc\cire.exe
O4 - HKCU\..\RunServices: [Cytoa] \kkmvhhzr.exe
O4 - HKCU\..\RunServices: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunOnce: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe
O4 - Startup: nnnd.exe
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

~~~~~~~~~~~~~~

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Then download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

~~~~~~~~~~~~~~

Reboot Again & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply.

In your next post, please include fresh copies of:

HiJackThis log
List of files that Panda failed to disinfect
Antispyware.log

Please provide details of any problems you encountered whilst performing the above steps.

compgeek · 07-16-2005, 07:53 AM

the online scan might have deleted some things but it crashed on me so im not sure.

here is the hijackthis log and the antispyware log:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:10 AM, on 7/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NNND.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER_2_5.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jjjanl.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: nnnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Started Scanning
Files and Directories
Found 'A0007714.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008645.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008759.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008760.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008797.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008801.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008808.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008812.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008849.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008853.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008882.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008886.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008893.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008897.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0008942.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009085.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009089.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009097.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009101.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009108.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009112.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009120.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009124.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009133.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009137.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009202.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009206.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009214.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009218.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009227.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009231.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009297.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009301.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009308.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009312.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009352.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009356.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009408.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009412.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0005643.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009638.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009645.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0009723.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0010724.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0010842.CPY' in 'c:\_RESTORE\TEMP'
Found '' in 'c:\WINDOWS\SYSTEM\FLEOK'
Found 'desktrf-fran-162813.exe' in 'c:\WINDOWS\SYSTEM\Cache'
Found 'bthdde.xml' in 'c:\WINDOWS\SYSTEM'
Found 'wcpsu.exe' in 'c:\WINDOWS\SYSTEM'
Found 'nsvsvc.exe' in 'c:\WINDOWS\SYSTEM\nsvsvc'
Found 'nsvs.dll' in 'c:\WINDOWS\SYSTEM\nsvsvc'
Found 'License.txt' in 'c:\WINDOWS\SYSTEM\nsvsvc'
Found 'BIINI.INF' in 'c:\WINDOWS\INF'
Found 'BELT.INF' in 'c:\WINDOWS\INF'
Found 'CERES.INF' in 'c:\WINDOWS\INF'
Found 'pav22.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav24.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav164.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav40D5.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav40E0.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav4374.TMP' in 'c:\WINDOWS\TEMP'
Found 'wmv0104.dbd' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv0204.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv0504.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv0904.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv0412.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv0106.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv1215.dbd' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv0315.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv1204.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv2007.dbd' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv1125.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv1920.dbd' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'wmv1909.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv'
Found 'CERES.DLL' in 'c:\WINDOWS'
Found 'EECH1.bsx' in 'c:\WINDOWS\cfgmgr52'
Found 'Buddy.exe' in 'c:\WINDOWS'
Found 'tdtb.exe' in 'c:\WINDOWS'
Found '' in 'c:\Program Files\Media Access'
Found '' in 'c:\Program Files\Toolbar'
Found '' in 'c:\Program Files\MySearch'
Found '' in 'c:\Program Files\MySearch\bar'
Found 'data.bin' in 'c:\Program Files\Aprps'
Found 'backup-20050715-225328-231.dll' in 'c:\HJT\backups'
Programs in Memory
Found 'nsvsvc.exe' in 'C:\WINDOWS\SYSTEM\nsvsvc'
Internet URL Shortcuts
Found 'WeirdOnTheWeb.url' in 'C:\WINDOWS\Favorites\'
Internet Cookies
Found 'go.com' in 'Internet Explorer Cache'
Windows Registry
Found '' in 'SOFTWARE\E2G'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\GAIN Publishing'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\PrecisionTime'
Found '' in 'software\classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}'
Found '' in 'software\classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}\InprocServer32'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Control'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\InprocServer32'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\MiscStatus'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\MiscStatus\1'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\ProgID'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\ToolboxBitmap32'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\TypeLib'
Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Version'
Found '' in 'software\classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}'
Found '' in 'software\classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\ProxyStubClsid'
Found '' in 'software\classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\ProxyStubClsid32'
Found '' in 'software\classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\TypeLib'
Found '' in 'software\classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}'
Found '' in 'software\classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\ProxyStubClsid'
Found '' in 'software\classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\ProxyStubClsid32'
Found '' in 'software\classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\TypeLib'
Found '' in 'software\classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0'
Found '' in 'software\classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\0\win32'
Found '' in 'software\classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\FLAGS'
Found '' in 'software\classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\HELPDIR'
Found '' in 'software\classes\VCCPGDATAACCESS.PgDataAccessCtrl.1'
Found '' in 'software\classes\VCCPGDATAACCESS.PgDataAccessCtrl.1\CLSID'
Found '' in 'SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}'
Found '' in 'SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Control'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\MiscStatus'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\MiscStatus\1'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\ToolboxBitmap32'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Version'
Found '' in 'SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}'
Found '' in 'SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}'
Found '' in 'SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\TypeLib'
Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1'
Found '' in 'SOFTWARE\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1\CLSID'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}'
Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\LocalServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}'
Found '' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32'
Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}'
Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\NumMethods'
Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Wise Solutions\Wise Installation System\Repair\C:/Program Files/VBouncer/INSTALL.LOG'
Found '' in 'SOFTWARE\ClickSpring'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1'
Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj\CurVer'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj\CLSID'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj.1\CLSID'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj.1'
Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj'
Found '' in 'Software\Ceres'
Found '' in 'Software\Dynamic Toolbar'
Found '' in 'SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}'
Found '' in 'SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32'
Found '' in 'SOFTWARE\Vendor\xml'
Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}'
Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}'
Found 'Version' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib'
Found '' in 'Software\PTech'
Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\ProgID'
Found '' in 'SOFTWARE\Mvu'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility'
Found '' in 'Software\Mvu'
Found 'Nsv' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}'
Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Implemented Categories'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE'
Found '' in 'TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}'
Found '' in 'Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}'
Found '' in 'TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}'
Found '' in 'Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}'
Found '' in 'Interface\{41700749-A109-4254-AF13-BE54011E8783}'
Found '' in 'CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}'
Found '' in 'CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}'
Found '' in 'VCCPGDATAACCESS.PgDataAccessCtrl.1'
Found '' in 'CeresDll.CeresDllObj'
Found '' in 'CeresDll.CeresDllObj.1'
Found '' in 'CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}'
Found '' in 'CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}'
Found '' in 'Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}'
Finished Scanning
Started Backup
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0104.dbd'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0204.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0504.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0904.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0412.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0106.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1215.dbd'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0315.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1204.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv2007.dbd'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1125.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1920.dbd'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1909.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'.
Finished Backup
Started Cleaning
Checking for 'c:\_RESTORE\TEMP\A0007714.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0007714.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0007714.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0007714.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008645.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008645.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008645.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008645.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008759.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008759.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008759.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008759.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008760.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008760.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008760.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008760.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008797.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008797.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008797.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008797.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008801.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008801.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008801.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008801.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008808.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008808.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008808.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008808.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008812.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008812.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008812.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008812.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008849.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008849.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008849.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008849.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008853.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008853.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008853.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008853.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008882.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008882.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008882.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008882.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008886.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008886.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008886.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008886.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008893.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008893.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008893.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008893.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008897.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008897.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008897.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008897.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0008942.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0008942.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0008942.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008942.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009085.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009085.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009085.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009085.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009089.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009089.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009089.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009089.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009097.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009097.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009097.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009097.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009101.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009101.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009101.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009101.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009108.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009108.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009108.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009108.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009112.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009112.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009112.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009112.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009120.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009120.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009120.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009120.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009124.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009124.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009124.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009124.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009133.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009133.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009133.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009133.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009137.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009137.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009137.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009137.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009202.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009202.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009202.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009202.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009206.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009206.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009206.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009206.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009214.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009214.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009214.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009214.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009218.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009218.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009218.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009218.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009227.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009227.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009227.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009227.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009231.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009231.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009231.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009231.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009297.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009297.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009297.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009297.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009301.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009301.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009301.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009301.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009308.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009308.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009308.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009308.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009312.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009312.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009312.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009312.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009352.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009352.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009352.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009352.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009356.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009356.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009356.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009356.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009408.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009408.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009408.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009408.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009412.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009412.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009412.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009412.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0005643.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0005643.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0005643.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0005643.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009638.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009638.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009638.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009638.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009645.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009645.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009645.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009645.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0009723.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0009723.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0009723.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009723.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0010724.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0010724.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0010724.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0010724.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0010842.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0010842.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0010842.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0010842.CPY' requires a reboot.
Checking for 'c:\WINDOWS\SYSTEM\FLEOK' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\FLEOK' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\FLEOK'
Checking for 'c:\WINDOWS\SYSTEM\Cache\desktrf-fran-162813.exe' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\Cache\desktrf-fran-162813.exe' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\Cache\desktrf-fran-162813.exe'
Checking for 'c:\WINDOWS\SYSTEM\bthdde.xml' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\bthdde.xml' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\bthdde.xml'
Checking for 'c:\WINDOWS\SYSTEM\wcpsu.exe' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\wcpsu.exe' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\wcpsu.exe'
Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe'
Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll'
Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\License.txt' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\License.txt' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\nsvsvc\License.txt'
Checking for 'c:\WINDOWS\INF\BIINI.INF' in shortcut areas.
Checking for 'c:\WINDOWS\INF\BIINI.INF' in startup areas.
Cleaning 'c:\WINDOWS\INF\BIINI.INF'
Checking for 'c:\WINDOWS\INF\BELT.INF' in shortcut areas.
Checking for 'c:\WINDOWS\INF\BELT.INF' in startup areas.
Cleaning 'c:\WINDOWS\INF\BELT.INF'
Checking for 'c:\WINDOWS\INF\CERES.INF' in shortcut areas.
Checking for 'c:\WINDOWS\INF\CERES.INF' in startup areas.
Cleaning 'c:\WINDOWS\INF\CERES.INF'
Checking for 'c:\WINDOWS\TEMP\pav22.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav22.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav22.TMP'
Checking for 'c:\WINDOWS\TEMP\pav24.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav24.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav24.TMP'
Checking for 'c:\WINDOWS\TEMP\pav164.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav164.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav164.TMP'
Checking for 'c:\WINDOWS\TEMP\pav40D5.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav40D5.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav40D5.TMP'
Checking for 'c:\WINDOWS\TEMP\pav40E0.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav40E0.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav40E0.TMP'
Checking for 'c:\WINDOWS\TEMP\pav4374.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav4374.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav4374.TMP'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0104.dbd' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0104.dbd' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0104.dbd'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0204.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0204.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0204.ddx'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0504.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0504.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0504.ddx'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0904.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0904.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0904.ddx'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0412.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0412.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0412.ddx'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0106.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0106.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0106.ddx'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1215.dbd' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1215.dbd' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1215.dbd'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0315.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0315.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0315.ddx'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1204.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1204.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1204.ddx'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv2007.dbd' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv2007.dbd' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv2007.dbd'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1125.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1125.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1125.ddx'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1920.dbd' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1920.dbd' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1920.dbd'
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1909.ddx' in shortcut areas.
Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1909.ddx' in startup areas.
Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1909.ddx'
Checking for 'c:\WINDOWS\CERES.DLL' in shortcut areas.
Checking for 'c:\WINDOWS\CERES.DLL' in startup areas.
Cleaning 'c:\WINDOWS\CERES.DLL'
[SCANMODS] WARNING: Deletion of the file 'c:\WINDOWS\CERES.DLL' requires a reboot.
Checking for 'c:\WINDOWS\cfgmgr52\EECH1.bsx' in shortcut areas.
Checking for 'c:\WINDOWS\cfgmgr52\EECH1.bsx' in startup areas.
Cleaning 'c:\WINDOWS\cfgmgr52\EECH1.bsx'
Checking for 'c:\WINDOWS\Buddy.exe' in shortcut areas.
Checking for 'c:\WINDOWS\Buddy.exe' in startup areas.
Cleaning 'c:\WINDOWS\Buddy.exe'
Checking for 'c:\WINDOWS\tdtb.exe' in shortcut areas.
Checking for 'c:\WINDOWS\tdtb.exe' in startup areas.
Cleaning 'c:\WINDOWS\tdtb.exe'
Checking for 'c:\Program Files\Media Access' in shortcut areas.
Checking for 'c:\Program Files\Media Access' in startup areas.
Cleaning 'c:\Program Files\Media Access'
Checking for 'c:\Program Files\Toolbar' in shortcut areas.
Checking for 'c:\Program Files\Toolbar' in startup areas.
Cleaning 'c:\Program Files\Toolbar'
Checking for 'c:\Program Files\Toolbar\tbps.dat' in shortcut areas.
Checking for 'c:\Program Files\Toolbar\tbps.dat' in startup areas.
Cleaning 'c:\Program Files\Toolbar\tbps.dat'
Checking for 'c:\Program Files\MySearch' in shortcut areas.
Checking for 'c:\Program Files\MySearch' in startup areas.
Cleaning 'c:\Program Files\MySearch'
Checking for 'c:\Program Files\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS' in shortcut areas.
Checking for 'c:\Program Files\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS' in startup areas.
Cleaning 'c:\Program Files\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS'
Checking for 'c:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL' in shortcut areas.
Checking for 'c:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL' in startup areas.
Cleaning 'c:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL'
Checking for 'c:\Program Files\MySearch\bar\1.bin\S42NS.EXE' in shortcut areas.
Checking for 'c:\Program Files\MySearch\bar\1.bin\S42NS.EXE' in startup areas.
Cleaning 'c:\Program Files\MySearch\bar\1.bin\S42NS.EXE'
Checking for 'c:\Program Files\MySearch\bar\1.bin\S4BAR.DLL' in shortcut areas.
Checking for 'c:\Program Files\MySearch\bar\1.bin\S4BAR.DLL' in startup areas.
Cleaning 'c:\Program Files\MySearch\bar\1.bin\S4BAR.DLL'
Checking for 'c:\Program Files\MySearch\bar' in shortcut areas.
Checking for 'c:\Program Files\MySearch\bar' in startup areas.
Cleaning 'c:\Program Files\MySearch\bar'
[SCANMODS] The file 'c:\Program Files\MySearch\bar' was not found. Most likely already cleaned by another scanner module.
Checking for 'c:\Program Files\Aprps\data.bin' in shortcut areas.
Checking for 'c:\Program Files\Aprps\data.bin' in startup areas.
Cleaning 'c:\Program Files\Aprps\data.bin'
Checking for 'c:\HJT\backups\backup-20050715-225328-231.dll' in shortcut areas.
Checking for 'c:\HJT\backups\backup-20050715-225328-231.dll' in startup areas.
Cleaning 'c:\HJT\backups\backup-20050715-225328-231.dll'
Checking for 'C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe'
[SCANMODS] The file 'C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' was not found. Most likely already cleaned by another scanner module.
Unable to delete registry value 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nsv'. Error=2.
Finished Cleaning

sUBs · 07-16-2005, 09:33 AM

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NNND.EXE
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\SYSTEM\DATADX.DLL
c:\windows\system\dlylygu.exe
C:\WINDOWS\jjjanl.exe

Start KillBox.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations' prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

= = = = = = = = = = =

Reboot to Safe-Mode
Restart the computer. The computer begins processing a set of instructions known as BIOS.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
Continue to do so until the 'Windows Advanced Options' menu appears.
Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = =

Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present

Media Access
MySearch Toolbar

= = = = = = = = = = =

Run a HiJackThis scan. Select the following entries & click Fix checked :

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jjjanl.exe reg_run
O4 - Startup: nnnd.exe

= = = = = = = = = = =

Locate and delete the following folder(s), if present:

c:\WINDOWS\All Users\Application Data\nsv\
c:\WINDOWS\cfgmgr52\
c:\Program Files\Media Access\
c:\Program Files\Toolbar\
c:\Program Files\MySearch\
c:\Program Files\Aprps\
C:\WINDOWS\SYSTEM\nsvsvc\
C:\WINDOWS\SYSTEM\VIDCTRL\

= = = = = = = = = = =

Run Cleanup! & configure the program up as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

= = = = = = = = = = =

Reboot to Normal-Mode.

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

= = = = = = = = = = =

In your next post, please include fresh copies of:

1. HiJackThis log
2. List of files that online scans failed to disinfect

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

compgeek · 07-16-2005, 02:12 PM

Incident Status Location

Possible Virus. No disinfected C:\WINDOWS\SYSTEM\WMASCR.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\DVNET.DLL
Adware:adware/alwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM\Free Picture iPod.ico
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.bin
Adware:adware/sqwire No disinfected C:\WINDOWS\SYSTEM\tsuninst.exe
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM\stlb2.xml
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM\saie_gdf.dat
Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\SYSTEM\CACHE\SSK_B5 WMG Media - Rev Share 3.EXE
Adware:adware/searchtheweb No disinfected C:\WINDOWS\SYSTEM\CACHE\mswinstall.exe
Adware:adware/transponder No disinfected C:\WINDOWS\INF\CERES.INF
Spyware:spyware/betterinet No disinfected C:\WINDOWS\Buddy.exe
Adware:adware/apropos No disinfected C:\WINDOWS\cxtpls_loader.exe
Adware:adware/navhelper No disinfected C:\PROGRAM FILES\Ares
Adware:adware/sidesearch No disinfected C:\WINDOWS\APPLICATION DATA\Lycos
Adware:adware/mediatickets No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIATICKETSINSTALLER.OCX
Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER
Adware:adware/wintools No disinfected HKEY_CLASSES_ROOT\PROTOCOLS\NAME-SPACE HANDLER\RES
Adware:adware/mywebsearch No disinfected HKEY_CLASSES_ROOT\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SSI_CI32.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\QJV.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\IPSETUP.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\NYWRSPT.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\MNDMO.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\IWWPHBK.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\CRL3DV2.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\QAV.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\PXNMAP.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\WSADMOD.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\HNOPNP.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\BIOWSEUI.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\NWONN16.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\OGBCINT.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\OWBCBCP.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\WNNMM.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\biA.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\Cache\ezstub.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM\Cache\ic_d.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\Cache\videoinst.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SYSTEM\Cache\SSK_B5 WMG Media - Rev Share 3.EXE
Adware:Adware/ILookup No disinfected C:\WINDOWS\SYSTEM\Cache\trgen-fran-default.exe
Adware:Adware/ILookup No disinfected C:\WINDOWS\SYSTEM\Cache\trgen_fran-162813.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\datadx.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\danput8.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\Cul3d.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\WMASCR.DLL
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM\tsuninst.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\ASSTREAM.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\VKAME.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\Ccwflt32.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\mb43dmod.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\cartc.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\mwident.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\mb4sdmod.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\IS_NDI.DLL
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\AOTXPRXY.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\MIC40.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\VEPODBC.DLL
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\poisdecd.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\dvnet.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\MIC42.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\NUWRSPT.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\dascript.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\dlylygu.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\UJLMON.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\IAGUTIL.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SNROBJ.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SUSCRAP.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\aosc\!update-2154.0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\NMRSES.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BIA.INF
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav72B7.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav72E5.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav8170.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav8323.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9140.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav91A5.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav91C1.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9221.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9270.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9285.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav92E3.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav92E6.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9371.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pav93B5.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA003.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA041.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA043.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA282.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA283.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA292.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B0.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B1.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B3.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B4.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B6.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2E6.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA354.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA355.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA381.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA382.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA392.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB014.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB020.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB022.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB026.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB031.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB032.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB034.TMP
Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB041.TMP
Adware:Adware/SearchTheWeb No disinfected C:\WINDOWS\All Users\Application Data\msw\BMan1.exe
Adware:Adware/SearchTheWeb No disinfected C:\WINDOWS\All Users\Application Data\msw\MSW.exe
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\pppqu.dat
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\jjjanl.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Possible Virus. No disinfected C:\WINDOWS\dddfswg.dll
Possible Virus. No disinfected C:\WINDOWS\pi1_60.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_click_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_auto_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\logo.gif
Spyware:Spyware/BetterInet No disinfected C:\HJT\backups\backup-20050716-152547-807.dll
Virus:Trj/Qoologic.G Disinfected C:\HJT\backups\backup-20050715-225329-754-nnnd.exe
Virus:Trj/Qoologic.G Disinfected C:\HJT\backups\backup-20050716-152547-113-nnnd.exe
Virus:Trj/Mitglieder.DC Disinfected [1.zip][03_05_2005.exe]

Logfile of HijackThis v1.99.1
Scan saved at 5:12:59 PM, on 7/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

sUBs · 07-16-2005, 03:59 PM

Good work. It's looking rosy. We are almost done.

I have attached a file to this post - regdel.txt
Download it & rename it "regdel.reg" (inclusive of the quotes)
Double-click on it & answer YES when prompted to merge into the Registry

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

C:\WINDOWS\SYSTEM\WMASCR.DLL
C:\WINDOWS\SYSTEM\DVNET.DLL
C:\WINDOWS\SYSTEM\Free Picture iPod.ico
C:\WINDOWS\SYSTEM\winupdt.bin
C:\WINDOWS\SYSTEM\tsuninst.exe
C:\WINDOWS\SYSTEM\stlb2.xml
C:\WINDOWS\SYSTEM\saie_gdf.dat
C:\WINDOWS\Buddy.exe
C:\WINDOWS\cxtpls_loader.exe
C:\WINDOWS\APPLICATION DATA\Lycos
C:\WINDOWS\SYSTEM\SSI_CI32.DLL
C:\WINDOWS\SYSTEM\QJV.DLL
C:\WINDOWS\SYSTEM\IPSETUP.DLL
C:\WINDOWS\SYSTEM\NYWRSPT.DLL
C:\WINDOWS\SYSTEM\MNDMO.DLL
C:\WINDOWS\SYSTEM\IWWPHBK.DLL
C:\WINDOWS\SYSTEM\CRL3DV2.DLL
C:\WINDOWS\SYSTEM\QAV.DLL
C:\WINDOWS\SYSTEM\PXNMAP.DLL
C:\WINDOWS\SYSTEM\WSADMOD.DLL
C:\WINDOWS\SYSTEM\HNOPNP.DLL
C:\WINDOWS\SYSTEM\BIOWSEUI.DLL
C:\WINDOWS\SYSTEM\NWONN16.DLL
C:\WINDOWS\SYSTEM\OGBCINT.DLL
C:\WINDOWS\SYSTEM\OWBCBCP.DLL
C:\WINDOWS\SYSTEM\WNNMM.DLL
C:\WINDOWS\SYSTEM\biA.exe
C:\WINDOWS\SYSTEM\Cache\ezstub.exe
C:\WINDOWS\SYSTEM\Cache\ic_d.exe
C:\WINDOWS\SYSTEM\Cache\videoinst.exe
C:\WINDOWS\SYSTEM\Cache\SSK_B5 WMG Media - Rev Share 3.EXE
C:\WINDOWS\SYSTEM\Cache\trgen-fran-default.exe
C:\WINDOWS\SYSTEM\Cache\trgen_fran-162813.exe
C:\WINDOWS\SYSTEM\datadx.dll
C:\WINDOWS\SYSTEM\danput8.dll
C:\WINDOWS\SYSTEM\Cul3d.dll
C:\WINDOWS\SYSTEM\WMASCR.DLL
C:\WINDOWS\SYSTEM\tsuninst.exe
C:\WINDOWS\SYSTEM\ASSTREAM.DLL
C:\WINDOWS\SYSTEM\VKAME.DLL
C:\WINDOWS\SYSTEM\Ccwflt32.dll
C:\WINDOWS\SYSTEM\mb43dmod.dll
C:\WINDOWS\SYSTEM\cartc.dll
C:\WINDOWS\SYSTEM\mwident.dll
C:\WINDOWS\SYSTEM\mb4sdmod.dll
C:\WINDOWS\SYSTEM\IS_NDI.DLL
C:\WINDOWS\SYSTEM\QBUninstaller.exe
C:\WINDOWS\SYSTEM\AOTXPRXY.DLL
C:\WINDOWS\SYSTEM\MIC40.DLL
C:\WINDOWS\SYSTEM\VEPODBC.DLL
C:\WINDOWS\SYSTEM\Shex.exe
C:\WINDOWS\SYSTEM\poisdecd.dll
C:\WINDOWS\SYSTEM\dvnet.dll
C:\WINDOWS\SYSTEM\MIC42.DLL
C:\WINDOWS\SYSTEM\NUWRSPT.DLL
C:\WINDOWS\SYSTEM\dascript.dll
C:\WINDOWS\SYSTEM\dlylygu.exe
C:\WINDOWS\SYSTEM\UJLMON.DLL
C:\WINDOWS\SYSTEM\IAGUTIL.DLL
C:\WINDOWS\SYSTEM\SNROBJ.DLL
C:\WINDOWS\SYSTEM\SUSCRAP.DLL
C:\WINDOWS\SYSTEM\NMRSES.DLL
C:\WINDOWS\INF\BIA.INF
C:\WINDOWS\INF\CERES.INF
C:\WINDOWS\pppqu.dat
C:\WINDOWS\jjjanl.exe
C:\WINDOWS\dddfswg.dll
C:\WINDOWS\pi1_60.exe

Select/Highlight all the filename(s) from the above.
Copy to clipboard by pressing [CTRL]+[C] on your keyboard.
Start KillBox.exe

Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
- Delete on Reboot
- Unregister.dll Before Deleting * if it's not grayed out
Click the RED X button.
Click Yes at the 'Delete on Reboot' prompt.
Click Yes at the 'Pending Operations prompt'.

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE

Quote:

Adware:adware/navhelper No disinfected C:\PROGRAM FILES\Ares

That is what Panda said of Ares. Let's uninstall it.

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

Ares

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Locate and delete the following folder(s), if present:

C:\WINDOWS\All Users\Application Data\msw\
C:\WINDOWS\SYSTEM\aosc\
C:\PROGRAM FILES\Ares\

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! & configure the program as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Post a new HJT log & let me know how your computer is behaving now.

compgeek · 07-16-2005, 06:49 PM

thanks for your help. The computer seems fine for now, i'll be sure to let tsf know if its not.

Logfile of HijackThis v1.99.1
Scan saved at 9:49:18 PM, on 7/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

sUBs · 07-16-2005, 08:39 PM

Your log is clean. Well done

Do you have any more problems with your computer? If not, you should be set to go.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

compgeek · 07-17-2005, 12:04 AM

thanks for all your help!

07-06-2005, 06:07 PM	#1 (permalink)
compgeek Member Join Date: Jan 2005 Posts: 33 OS: Windows ME	looots of adware/spyware keep coming all due to a bad windows media player link bad windows media player link caused ads to keep appearing after each reboot. I used ad aware and spybot but yet after each reboot something triggers them all over again. please help thank you.

07-06-2005, 06:48 PM	#2 (permalink)
Herk Registered User Join Date: Feb 2005 Location: Georgia Posts: 584 OS: XP	If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Please download HijackThis http://www.greyknight17.com/spy/HijackThis.exe - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. __________________ Spybot S&D\| Adaware SE\|Spyware Prevention

07-10-2005, 01:27 PM	#3 (permalink)
compgeek Member Join Date: Jan 2005 Posts: 33 OS: Windows ME	hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 4:26:59 PM, on 7/10/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\WINDOWS\RRRKAU.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE C:\WINDOWS\WUAUCLT.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrrkau.exe reg_run O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe O4 - HKCU\..\Run: [Rrsu] C:\Program Files\tarc\cire.exe O4 - HKCU\..\Run: [Cytoa] \kkmvhhzr.exe O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O4 - HKCU\..\RunServices: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe O4 - HKCU\..\RunServices: [Rrsu] C:\Program Files\tarc\cire.exe O4 - HKCU\..\RunServices: [Cytoa] \kkmvhhzr.exe O4 - HKCU\..\RunServices: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O4 - HKCU\..\RunOnce: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe O4 - Startup: nnnd.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

07-10-2005, 02:19 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Hi and Welcome to TSF! Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. It is also important you don't miss a step and perform everything in the right order!!. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. Please do not run Hijackthis from it's current location. Create a permanent folder and move hijackthis.exe into it. From Windows Explorer, Click on drive C: Click on File>New>Folder Call it HJT, or any other name of your choice. Move all files to the newly created folder ~~~~~~~~~~~~~~ Please download these additional files/programs :- (Do not run them unless instructed to do so) Unplug your computer from the Internet when you have finished downloading CleanUp! - Install KillBox v2.0.0.175 - Save to Desktop. Download & RUN FxIeplgn.exe Download & RUN FxWebsch.exe ~~~~~~~~~~~~~~ Uninstall the following programs, if present, using Control Panel > Add/Remove Programs : CashBack NaviSearch BullsEye Network E2Give Browser Add On Bargain Buddy HuntBar ~~~~~~~~~~~~~~ Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\RRRKAU.EXE C:\WINDOWS\CERES.DLL C:\WINDOWS\SYSTB.DLL C:\Program Files\E2G\IeBHOs.dll C:\WINDOWS\SYSTEM\MSBE.DLL C:\WINDOWS\SYSTEM\NVMS.DLL C:\WINDOWS\SYSTEM\MSCB.DLL C:\WINDOWS\wupdt.exe C:\Program Files\BullsEye Network\bin\bargains.exe C:\Program Files\NaviSearch\bin\nls.exe C:\Program Files\CashBack\bin\cashback.exe c:\windows\system\dlylygu.exe C:\WINDOWS\SYSTEM\UPDTUP.exe C:\Program Files\tarc\cire.exe c:\windows\system\kkmvhhzr.exe c:\windows\kkmvhhzr.exe C:\Program Files\Cas\Client\casclient.exe c:\Windows\Start Menu\Programs\Startup\nnnd.exe C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL Start KillBox Go to the File menu, and choose [Paste from Clipboard]. Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there. Select/tick the following: "Delete on Reboot" "End Explorer Shell While Killing File" "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ~~~~~~~~~~~~~~ Reboot to SafeMode Shut Windows down, and then turn off the computer. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter. ~~~~~~~~~~~~~~ Enable the viewing of Hidden files Double-click on the My Computer icon. Select the View menu and then click Folder Options. After the new window appears select the View tab. Scroll down until you see the Show all files radio button and select it. Press the Apply button and then the OK button and close the My Computer window. Now your computer is configured to show all hidden files. Locate and delete the following folder(s), if present: C:\Program Files\E2G\ C:\Program Files\BullsEye Network\ C:\Program Files\NaviSearch\ C:\Program Files\CashBack\ C:\Program Files\tarc\ C:\Program Files\Cas\ Search for & delete ... using "Start>Search..." the following file(s), if present: nnnd.exe kkmvhhzr.exe ~~~~~~~~~~~~~~ Run Cleanup! & configure the program as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup ~~~~~~~~~~~~~~ Reboot to Normal Mode Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rrrkau.exe reg_run O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe O4 - HKCU\..\Run: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe O4 - HKCU\..\Run: [Rrsu] C:\Program Files\tarc\cire.exe O4 - HKCU\..\Run: [Cytoa] \kkmvhhzr.exe O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O4 - HKCU\..\RunServices: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe O4 - HKCU\..\RunServices: [Rrsu] C:\Program Files\tarc\cire.exe O4 - HKCU\..\RunServices: [Cytoa] \kkmvhhzr.exe O4 - HKCU\..\RunServices: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe" O4 - HKCU\..\RunOnce: [UPDTUP] C:\WINDOWS\SYSTEM\UPDTUP.exe O4 - Startup: nnnd.exe O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL ~~~~~~~~~~~~~~ Do an online scan at Panda Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Then download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. ~~~~~~~~~~~~~~ Reboot Again & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply. In your next post, please include fresh copies of: HiJackThis log List of files that Panda failed to disinfect Antispyware.log Please provide details of any problems you encountered whilst performing the above steps. __________________

07-16-2005, 07:53 AM	#5 (permalink)
compgeek Member Join Date: Jan 2005 Posts: 33 OS: Windows ME	hijackthis, antispyware the online scan might have deleted some things but it crashed on me so im not sure. here is the hijackthis log and the antispyware log: Logfile of HijackThis v1.99.1 Scan saved at 10:51:10 AM, on 7/16/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NNND.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER_2_5.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\WUAUCLT.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jjjanl.exe reg_run O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - Startup: nnnd.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab Started Scanning Files and Directories Found 'A0007714.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008645.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008759.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008760.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008797.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008801.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008808.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008812.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008849.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008853.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008882.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008886.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008893.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008897.CPY' in 'c:\_RESTORE\TEMP' Found 'A0008942.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009085.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009089.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009097.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009101.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009108.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009112.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009120.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009124.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009133.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009137.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009202.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009206.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009214.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009218.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009227.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009231.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009297.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009301.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009308.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009312.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009352.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009356.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009408.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009412.CPY' in 'c:\_RESTORE\TEMP' Found 'A0005643.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009638.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009645.CPY' in 'c:\_RESTORE\TEMP' Found 'A0009723.CPY' in 'c:\_RESTORE\TEMP' Found 'A0010724.CPY' in 'c:\_RESTORE\TEMP' Found 'A0010842.CPY' in 'c:\_RESTORE\TEMP' Found '' in 'c:\WINDOWS\SYSTEM\FLEOK' Found 'desktrf-fran-162813.exe' in 'c:\WINDOWS\SYSTEM\Cache' Found 'bthdde.xml' in 'c:\WINDOWS\SYSTEM' Found 'wcpsu.exe' in 'c:\WINDOWS\SYSTEM' Found 'nsvsvc.exe' in 'c:\WINDOWS\SYSTEM\nsvsvc' Found 'nsvs.dll' in 'c:\WINDOWS\SYSTEM\nsvsvc' Found 'License.txt' in 'c:\WINDOWS\SYSTEM\nsvsvc' Found 'BIINI.INF' in 'c:\WINDOWS\INF' Found 'BELT.INF' in 'c:\WINDOWS\INF' Found 'CERES.INF' in 'c:\WINDOWS\INF' Found 'pav22.TMP' in 'c:\WINDOWS\TEMP' Found 'pav24.TMP' in 'c:\WINDOWS\TEMP' Found 'pav164.TMP' in 'c:\WINDOWS\TEMP' Found 'pav40D5.TMP' in 'c:\WINDOWS\TEMP' Found 'pav40E0.TMP' in 'c:\WINDOWS\TEMP' Found 'pav4374.TMP' in 'c:\WINDOWS\TEMP' Found 'wmv0104.dbd' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv0204.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv0504.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv0904.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv0412.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv0106.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv1215.dbd' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv0315.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv1204.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv2007.dbd' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv1125.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv1920.dbd' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'wmv1909.ddx' in 'c:\WINDOWS\All Users\Application Data\nsv' Found 'CERES.DLL' in 'c:\WINDOWS' Found 'EECH1.bsx' in 'c:\WINDOWS\cfgmgr52' Found 'Buddy.exe' in 'c:\WINDOWS' Found 'tdtb.exe' in 'c:\WINDOWS' Found '' in 'c:\Program Files\Media Access' Found '' in 'c:\Program Files\Toolbar' Found '' in 'c:\Program Files\MySearch' Found '' in 'c:\Program Files\MySearch\bar' Found 'data.bin' in 'c:\Program Files\Aprps' Found 'backup-20050715-225328-231.dll' in 'c:\HJT\backups' Programs in Memory Found 'nsvsvc.exe' in 'C:\WINDOWS\SYSTEM\nsvsvc' Internet URL Shortcuts Found 'WeirdOnTheWeb.url' in 'C:\WINDOWS\Favorites\' Internet Cookies Found 'go.com' in 'Internet Explorer Cache' Windows Registry Found '' in 'SOFTWARE\E2G' Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\GAIN Publishing' Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\PrecisionTime' Found '' in 'software\classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}' Found '' in 'software\classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}\InprocServer32' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Control' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\InprocServer32' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\MiscStatus' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\MiscStatus\1' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\ProgID' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\ToolboxBitmap32' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\TypeLib' Found '' in 'software\classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Version' Found '' in 'software\classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}' Found '' in 'software\classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\ProxyStubClsid' Found '' in 'software\classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\ProxyStubClsid32' Found '' in 'software\classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\TypeLib' Found '' in 'software\classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}' Found '' in 'software\classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\ProxyStubClsid' Found '' in 'software\classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\ProxyStubClsid32' Found '' in 'software\classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\TypeLib' Found '' in 'software\classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0' Found '' in 'software\classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\0\win32' Found '' in 'software\classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\FLAGS' Found '' in 'software\classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\HELPDIR' Found '' in 'software\classes\VCCPGDATAACCESS.PgDataAccessCtrl.1' Found '' in 'software\classes\VCCPGDATAACCESS.PgDataAccessCtrl.1\CLSID' Found '' in 'SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}' Found '' in 'SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}\InprocServer32' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Control' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\InprocServer32' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\MiscStatus' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\MiscStatus\1' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\ProgID' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\ToolboxBitmap32' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\TypeLib' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Version' Found '' in 'SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}' Found '' in 'SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}' Found '' in 'SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783}\TypeLib' Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0' Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\0\win32' Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\FLAGS' Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\HELPDIR' Found '' in 'SOFTWARE\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1' Found '' in 'SOFTWARE\Classes\VCCPGDATAACCESS.PgDataAccessCtrl.1\CLSID' Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1' Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}' Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\LocalServer32' Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\ProgID' Found '' in 'SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}\VersionIndependentProgID' Found '' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}' Found '' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32' Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}' Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\NumMethods' Found '' in 'SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\ProxyStubClsid32' Found '' in 'SOFTWARE\Wise Solutions\Wise Installation System\Repair\C:/Program Files/VBouncer/INSTALL.LOG' Found '' in 'SOFTWARE\ClickSpring' Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\HELPDIR' Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\FLAGS' Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0\win32' Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1' Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}' Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj\CurVer' Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj\CLSID' Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj.1\CLSID' Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj.1' Found '' in 'SOFTWARE\Classes\CeresDll.CeresDllObj' Found '' in 'Software\Ceres' Found '' in 'Software\Dynamic Toolbar' Found '' in 'SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}' Found '' in 'SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}' Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\InProcServer32' Found '' in 'SOFTWARE\Vendor\xml' Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}' Found '' in 'SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}\1.0\0' Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}\1.1\0' Found '' in 'SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}' Found 'Version' in 'SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}\TypeLib' Found '' in 'Software\PTech' Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager' Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\Version' Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\TypeLib' Found '' in 'SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}\ProgID' Found '' in 'SOFTWARE\Mvu' Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility' Found '' in 'Software\Mvu' Found 'Nsv' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}' Found '' in 'SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}\Implemented Categories' Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE' Found '' in 'TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}' Found '' in 'Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}' Found '' in 'TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073}' Found '' in 'Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610}' Found '' in 'Interface\{41700749-A109-4254-AF13-BE54011E8783}' Found '' in 'CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865}' Found '' in 'CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}' Found '' in 'VCCPGDATAACCESS.PgDataAccessCtrl.1' Found '' in 'CeresDll.CeresDllObj' Found '' in 'CeresDll.CeresDllObj.1' Found '' in 'CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}' Found '' in 'CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}' Found '' in 'Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}' Finished Scanning Started Backup Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0104.dbd'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0204.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0504.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0904.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0412.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0106.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1215.dbd'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv0315.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1204.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv2007.dbd'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1125.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1920.dbd'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Unable to backup the item 'c:\WINDOWS\All Users\Application Data\nsv\wmv1909.ddx'. [SCANMODS] FCIAddFile failed. FCI Error=1, 'File not found'. Finished Backup Started Cleaning Checking for 'c:\_RESTORE\TEMP\A0007714.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0007714.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0007714.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0007714.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008645.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008645.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008645.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008645.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008759.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008759.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008759.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008759.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008760.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008760.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008760.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008760.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008797.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008797.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008797.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008797.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008801.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008801.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008801.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008801.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008808.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008808.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008808.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008808.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008812.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008812.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008812.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008812.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008849.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008849.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008849.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008849.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008853.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008853.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008853.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008853.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008882.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008882.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008882.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008882.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008886.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008886.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008886.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008886.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008893.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008893.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008893.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008893.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008897.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008897.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008897.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008897.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0008942.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0008942.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0008942.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0008942.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009085.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009085.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009085.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009085.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009089.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009089.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009089.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009089.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009097.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009097.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009097.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009097.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009101.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009101.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009101.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009101.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009108.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009108.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009108.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009108.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009112.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009112.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009112.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009112.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009120.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009120.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009120.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009120.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009124.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009124.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009124.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009124.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009133.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009133.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009133.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009133.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009137.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009137.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009137.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009137.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009202.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009202.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009202.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009202.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009206.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009206.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009206.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009206.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009214.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009214.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009214.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009214.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009218.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009218.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009218.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009218.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009227.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009227.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009227.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009227.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009231.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009231.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009231.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009231.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009297.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009297.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009297.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009297.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009301.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009301.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009301.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009301.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009308.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009308.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009308.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009308.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009312.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009312.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009312.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009312.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009352.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009352.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009352.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009352.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009356.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009356.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009356.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009356.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009408.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009408.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009408.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009408.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009412.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009412.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009412.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009412.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0005643.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0005643.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0005643.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0005643.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009638.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009638.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009638.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009638.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009645.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009645.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009645.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009645.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0009723.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0009723.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0009723.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0009723.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0010724.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0010724.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0010724.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0010724.CPY' requires a reboot. Checking for 'c:\_RESTORE\TEMP\A0010842.CPY' in shortcut areas. Checking for 'c:\_RESTORE\TEMP\A0010842.CPY' in startup areas. Cleaning 'c:\_RESTORE\TEMP\A0010842.CPY' [SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0010842.CPY' requires a reboot. Checking for 'c:\WINDOWS\SYSTEM\FLEOK' in shortcut areas. Checking for 'c:\WINDOWS\SYSTEM\FLEOK' in startup areas. Cleaning 'c:\WINDOWS\SYSTEM\FLEOK' Checking for 'c:\WINDOWS\SYSTEM\Cache\desktrf-fran-162813.exe' in shortcut areas. Checking for 'c:\WINDOWS\SYSTEM\Cache\desktrf-fran-162813.exe' in startup areas. Cleaning 'c:\WINDOWS\SYSTEM\Cache\desktrf-fran-162813.exe' Checking for 'c:\WINDOWS\SYSTEM\bthdde.xml' in shortcut areas. Checking for 'c:\WINDOWS\SYSTEM\bthdde.xml' in startup areas. Cleaning 'c:\WINDOWS\SYSTEM\bthdde.xml' Checking for 'c:\WINDOWS\SYSTEM\wcpsu.exe' in shortcut areas. Checking for 'c:\WINDOWS\SYSTEM\wcpsu.exe' in startup areas. Cleaning 'c:\WINDOWS\SYSTEM\wcpsu.exe' Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' in shortcut areas. Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' in startup areas. Cleaning 'c:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll' in shortcut areas. Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll' in startup areas. Cleaning 'c:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll' Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\License.txt' in shortcut areas. Checking for 'c:\WINDOWS\SYSTEM\nsvsvc\License.txt' in startup areas. Cleaning 'c:\WINDOWS\SYSTEM\nsvsvc\License.txt' Checking for 'c:\WINDOWS\INF\BIINI.INF' in shortcut areas. Checking for 'c:\WINDOWS\INF\BIINI.INF' in startup areas. Cleaning 'c:\WINDOWS\INF\BIINI.INF' Checking for 'c:\WINDOWS\INF\BELT.INF' in shortcut areas. Checking for 'c:\WINDOWS\INF\BELT.INF' in startup areas. Cleaning 'c:\WINDOWS\INF\BELT.INF' Checking for 'c:\WINDOWS\INF\CERES.INF' in shortcut areas. Checking for 'c:\WINDOWS\INF\CERES.INF' in startup areas. Cleaning 'c:\WINDOWS\INF\CERES.INF' Checking for 'c:\WINDOWS\TEMP\pav22.TMP' in shortcut areas. Checking for 'c:\WINDOWS\TEMP\pav22.TMP' in startup areas. Cleaning 'c:\WINDOWS\TEMP\pav22.TMP' Checking for 'c:\WINDOWS\TEMP\pav24.TMP' in shortcut areas. Checking for 'c:\WINDOWS\TEMP\pav24.TMP' in startup areas. Cleaning 'c:\WINDOWS\TEMP\pav24.TMP' Checking for 'c:\WINDOWS\TEMP\pav164.TMP' in shortcut areas. Checking for 'c:\WINDOWS\TEMP\pav164.TMP' in startup areas. Cleaning 'c:\WINDOWS\TEMP\pav164.TMP' Checking for 'c:\WINDOWS\TEMP\pav40D5.TMP' in shortcut areas. Checking for 'c:\WINDOWS\TEMP\pav40D5.TMP' in startup areas. Cleaning 'c:\WINDOWS\TEMP\pav40D5.TMP' Checking for 'c:\WINDOWS\TEMP\pav40E0.TMP' in shortcut areas. Checking for 'c:\WINDOWS\TEMP\pav40E0.TMP' in startup areas. Cleaning 'c:\WINDOWS\TEMP\pav40E0.TMP' Checking for 'c:\WINDOWS\TEMP\pav4374.TMP' in shortcut areas. Checking for 'c:\WINDOWS\TEMP\pav4374.TMP' in startup areas. Cleaning 'c:\WINDOWS\TEMP\pav4374.TMP' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0104.dbd' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0104.dbd' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0104.dbd' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0204.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0204.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0204.ddx' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0504.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0504.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0504.ddx' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0904.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0904.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0904.ddx' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0412.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0412.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0412.ddx' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0106.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0106.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0106.ddx' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1215.dbd' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1215.dbd' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1215.dbd' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0315.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv0315.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv0315.ddx' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1204.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1204.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1204.ddx' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv2007.dbd' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv2007.dbd' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv2007.dbd' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1125.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1125.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1125.ddx' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1920.dbd' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1920.dbd' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1920.dbd' Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1909.ddx' in shortcut areas. Checking for 'c:\WINDOWS\All Users\Application Data\nsv\wmv1909.ddx' in startup areas. Cleaning 'c:\WINDOWS\All Users\Application Data\nsv\wmv1909.ddx' Checking for 'c:\WINDOWS\CERES.DLL' in shortcut areas. Checking for 'c:\WINDOWS\CERES.DLL' in startup areas. Cleaning 'c:\WINDOWS\CERES.DLL' [SCANMODS] WARNING: Deletion of the file 'c:\WINDOWS\CERES.DLL' requires a reboot. Checking for 'c:\WINDOWS\cfgmgr52\EECH1.bsx' in shortcut areas. Checking for 'c:\WINDOWS\cfgmgr52\EECH1.bsx' in startup areas. Cleaning 'c:\WINDOWS\cfgmgr52\EECH1.bsx' Checking for 'c:\WINDOWS\Buddy.exe' in shortcut areas. Checking for 'c:\WINDOWS\Buddy.exe' in startup areas. Cleaning 'c:\WINDOWS\Buddy.exe' Checking for 'c:\WINDOWS\tdtb.exe' in shortcut areas. Checking for 'c:\WINDOWS\tdtb.exe' in startup areas. Cleaning 'c:\WINDOWS\tdtb.exe' Checking for 'c:\Program Files\Media Access' in shortcut areas. Checking for 'c:\Program Files\Media Access' in startup areas. Cleaning 'c:\Program Files\Media Access' Checking for 'c:\Program Files\Toolbar' in shortcut areas. Checking for 'c:\Program Files\Toolbar' in startup areas. Cleaning 'c:\Program Files\Toolbar' Checking for 'c:\Program Files\Toolbar\tbps.dat' in shortcut areas. Checking for 'c:\Program Files\Toolbar\tbps.dat' in startup areas. Cleaning 'c:\Program Files\Toolbar\tbps.dat' Checking for 'c:\Program Files\MySearch' in shortcut areas. Checking for 'c:\Program Files\MySearch' in startup areas. Cleaning 'c:\Program Files\MySearch' Checking for 'c:\Program Files\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS' in shortcut areas. Checking for 'c:\Program Files\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS' in startup areas. Cleaning 'c:\Program Files\MySearch\bar\1.bin\MYSEARCHPLUGINPROXY.CLASS' Checking for 'c:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL' in shortcut areas. Checking for 'c:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL' in startup areas. Cleaning 'c:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL' Checking for 'c:\Program Files\MySearch\bar\1.bin\S42NS.EXE' in shortcut areas. Checking for 'c:\Program Files\MySearch\bar\1.bin\S42NS.EXE' in startup areas. Cleaning 'c:\Program Files\MySearch\bar\1.bin\S42NS.EXE' Checking for 'c:\Program Files\MySearch\bar\1.bin\S4BAR.DLL' in shortcut areas. Checking for 'c:\Program Files\MySearch\bar\1.bin\S4BAR.DLL' in startup areas. Cleaning 'c:\Program Files\MySearch\bar\1.bin\S4BAR.DLL' Checking for 'c:\Program Files\MySearch\bar' in shortcut areas. Checking for 'c:\Program Files\MySearch\bar' in startup areas. Cleaning 'c:\Program Files\MySearch\bar' [SCANMODS] The file 'c:\Program Files\MySearch\bar' was not found. Most likely already cleaned by another scanner module. Checking for 'c:\Program Files\Aprps\data.bin' in shortcut areas. Checking for 'c:\Program Files\Aprps\data.bin' in startup areas. Cleaning 'c:\Program Files\Aprps\data.bin' Checking for 'c:\HJT\backups\backup-20050715-225328-231.dll' in shortcut areas. Checking for 'c:\HJT\backups\backup-20050715-225328-231.dll' in startup areas. Cleaning 'c:\HJT\backups\backup-20050715-225328-231.dll' Checking for 'C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' in shortcut areas. Checking for 'C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' in startup areas. Cleaning 'C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' [SCANMODS] The file 'C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe' was not found. Most likely already cleaned by another scanner module. Unable to delete registry value 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nsv'. Error=2. Finished Cleaning

07-16-2005, 09:33 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\START MENU\PROGRAMS\STARTUP\NNND.EXE C:\WINDOWS\CERES.DLL C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE C:\WINDOWS\SYSTEM\DATADX.DLL c:\windows\system\dlylygu.exe C:\WINDOWS\jjjanl.exe Start KillBox. Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox Click the dropdown-arrow next to the "Full Path of File to Delete" field. Verify that the filenames you pasted are found in there. Select/tick the following: * Replace on Reboot * Use Dummy * End Explorer Shell While Killing File * "Unregister.dll Before Deleting" * if it's not grayed out Click the RED X button. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the 'Pending Operations' prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. = = = = = = = = = = = Reboot to Safe-Mode Restart the computer. The computer begins processing a set of instructions known as BIOS. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the 'Windows Advanced Options' menu appears. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode. = = = = = = = = = = = Uninstall the following programs using Add/Remove Programs panel : * Some entries may not be present Media Access MySearch Toolbar = = = = = = = = = = = Run a HiJackThis scan. Select the following entries & click Fix checked : O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart O4 - HKLM\..\Run: [dlylygu] c:\windows\system\dlylygu.exe O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jjjanl.exe reg_run O4 - Startup: nnnd.exe = = = = = = = = = = = Locate and delete the following folder(s), if present: c:\WINDOWS\All Users\Application Data\nsv\ c:\WINDOWS\cfgmgr52\ c:\Program Files\Media Access\ c:\Program Files\Toolbar\ c:\Program Files\MySearch\ c:\Program Files\Aprps\ C:\WINDOWS\SYSTEM\nsvsvc\ C:\WINDOWS\SYSTEM\VIDCTRL\ = = = = = = = = = = = Run Cleanup! & configure the program up as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup = = = = = = = = = = = Reboot to Normal-Mode. Do an online scan at Panda Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan = = = = = = = = = = = In your next post, please include fresh copies of: 1. HiJackThis log 2. List of files that online scans failed to disinfect Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________

07-16-2005, 02:12 PM	#7 (permalink)
compgeek Member Join Date: Jan 2005 Posts: 33 OS: Windows ME	panda and hijackthis logs Incident Status Location Possible Virus. No disinfected C:\WINDOWS\SYSTEM\WMASCR.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\DVNET.DLL Adware:adware/alwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM\Free Picture iPod.ico Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.bin Adware:adware/sqwire No disinfected C:\WINDOWS\SYSTEM\tsuninst.exe Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM\stlb2.xml Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM\saie_gdf.dat Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\SYSTEM\CACHE\SSK_B5 WMG Media - Rev Share 3.EXE Adware:adware/searchtheweb No disinfected C:\WINDOWS\SYSTEM\CACHE\mswinstall.exe Adware:adware/transponder No disinfected C:\WINDOWS\INF\CERES.INF Spyware:spyware/betterinet No disinfected C:\WINDOWS\Buddy.exe Adware:adware/apropos No disinfected C:\WINDOWS\cxtpls_loader.exe Adware:adware/navhelper No disinfected C:\PROGRAM FILES\Ares Adware:adware/sidesearch No disinfected C:\WINDOWS\APPLICATION DATA\Lycos Adware:adware/mediatickets No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIATICKETSINSTALLER.OCX Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER Adware:adware/wintools No disinfected HKEY_CLASSES_ROOT\PROTOCOLS\NAME-SPACE HANDLER\RES Adware:adware/mywebsearch No disinfected HKEY_CLASSES_ROOT\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908} Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a} Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SSI_CI32.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\QJV.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\IPSETUP.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\NYWRSPT.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\MNDMO.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\IWWPHBK.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\CRL3DV2.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\QAV.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\PXNMAP.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\WSADMOD.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\HNOPNP.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\BIOWSEUI.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\NWONN16.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\OGBCINT.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\OWBCBCP.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\WNNMM.DLL Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\biA.exe Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\Cache\ezstub.exe Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM\Cache\ic_d.exe Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\Cache\videoinst.exe Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SYSTEM\Cache\SSK_B5 WMG Media - Rev Share 3.EXE Adware:Adware/ILookup No disinfected C:\WINDOWS\SYSTEM\Cache\trgen-fran-default.exe Adware:Adware/ILookup No disinfected C:\WINDOWS\SYSTEM\Cache\trgen_fran-162813.exe Possible Virus. No disinfected C:\WINDOWS\SYSTEM\datadx.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\danput8.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\Cul3d.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\WMASCR.DLL Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\SYSTEM\tsuninst.exe Possible Virus. No disinfected C:\WINDOWS\SYSTEM\ASSTREAM.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\VKAME.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\Ccwflt32.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\mb43dmod.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\cartc.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\mwident.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\mb4sdmod.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\IS_NDI.DLL Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe Possible Virus. No disinfected C:\WINDOWS\SYSTEM\AOTXPRXY.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\MIC40.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\VEPODBC.DLL Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe Possible Virus. No disinfected C:\WINDOWS\SYSTEM\poisdecd.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\dvnet.dll Possible Virus. No disinfected C:\WINDOWS\SYSTEM\MIC42.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\NUWRSPT.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\dascript.dll Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\dlylygu.exe Possible Virus. No disinfected C:\WINDOWS\SYSTEM\UJLMON.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\IAGUTIL.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SNROBJ.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\SUSCRAP.DLL Possible Virus. No disinfected C:\WINDOWS\SYSTEM\aosc\!update-2154.0000 Possible Virus. No disinfected C:\WINDOWS\SYSTEM\NMRSES.DLL Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BIA.INF Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF Possible Virus. No disinfected C:\WINDOWS\TEMP\pav72B7.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav72E5.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav8170.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav8323.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9140.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav91A5.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav91C1.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9221.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9270.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9285.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav92E3.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav92E6.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav9371.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pav93B5.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA003.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA041.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA043.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA282.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA283.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA292.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B0.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B1.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B3.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B4.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2B6.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA2E6.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA354.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA355.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA381.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA382.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavA392.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB014.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB020.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB022.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB026.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB031.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB032.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB034.TMP Possible Virus. No disinfected C:\WINDOWS\TEMP\pavB041.TMP Adware:Adware/SearchTheWeb No disinfected C:\WINDOWS\All Users\Application Data\msw\BMan1.exe Adware:Adware/SearchTheWeb No disinfected C:\WINDOWS\All Users\Application Data\msw\MSW.exe Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\pppqu.dat Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\jjjanl.exe Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe Possible Virus. No disinfected C:\WINDOWS\dddfswg.dll Possible Virus. No disinfected C:\WINDOWS\pi1_60.exe Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_click_wider.swf Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_auto_wider.swf Spyware:Spyware/BargainBuddy No disinfected C:\Temp\logo.gif Spyware:Spyware/BetterInet No disinfected C:\HJT\backups\backup-20050716-152547-807.dll Virus:Trj/Qoologic.G Disinfected C:\HJT\backups\backup-20050715-225329-754-nnnd.exe Virus:Trj/Qoologic.G Disinfected C:\HJT\backups\backup-20050716-152547-113-nnnd.exe Virus:Trj/Mitglieder.DC Disinfected [1.zip][03_05_2005.exe] Logfile of HijackThis v1.99.1 Scan saved at 5:12:59 PM, on 7/16/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE C:\WINDOWS\WUAUCLT.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

07-16-2005, 06:49 PM	#9 (permalink)
compgeek Member Join Date: Jan 2005 Posts: 33 OS: Windows ME	hijackthis log thanks for your help. The computer seems fine for now, i'll be sure to let tsf know if its not. Logfile of HijackThis v1.99.1 Scan saved at 9:49:18 PM, on 7/16/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE C:\WINDOWS\WUAUCLT.EXE C:\HJT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/tech...a/LSSupCtl.cab O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

07-16-2005, 08:39 PM	#10 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Your log is clean. Well done Do you have any more problems with your computer? If not, you should be set to go. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________

07-17-2005, 12:04 AM	#11 (permalink)
compgeek Member Join Date: Jan 2005 Posts: 33 OS: Windows ME	thanks thanks for all your help!