Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 25 Posts

·
Registered
Joined
·
23 Posts
Discussion Starter · #1 ·
Hello TSF,

Lately my internet explorer has been taken over by a website called www.todayswarnings.com. I can use the explorer but the homepage always goes to todayswarnings.com instead of whatever my homepage is set to.

My second problem is more paranoia than anything. A friend of mine recently had some sensitive information stolen from his computer and i'm a bit scared that the same thing might happen to me. So I was wondering if this HJT log would tell me if there were any keyloggers or such on my computer and what is wrong with my internet explorer.

Logfile of HijackThis v1.99.1
Scan saved at 12:22:13 AM, on 12/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\tfovxxi.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\qvupeep.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CMIntex\CMIntex.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp9BB9.tmp
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: Search - {C249374E-3E5C-EC64-01A1-2D01502E8C9D} - C:\WINDOWS\Mhlfbteq.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tfovxxi] C:\WINDOWS\tfovxxi.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [wspdag] c:\windows\system32\yyxitve.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Warning: do not remove it!] fpplock.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner.exe /S
O4 - HKLM\..\Run: [tzccvxqwzel] C:\WINDOWS\System32\pjrupp.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [thknvurqzn] C:\WINDOWS\System32\pjrupp.exe
O4 - HKLM\..\Run: [sysdxvid] c:\windows\system32\sysdxvid.exe /nocomm
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [rumdhdsz] C:\WINDOWS\System32\pjrupp.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pjrupp] c:\windows\system32\pjrupp.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [lzvlmnz] C:\WINDOWS\System32\rlrcsj.exe r
O4 - HKLM\..\Run: [kmmpmpp] c:\windows\system32\ivwcol.exe
O4 - HKLM\..\Run: [KeenValue] C:\Program Files\Common files\KeenValue\KeenValue.exe
O4 - HKLM\..\Run: [jsjasjw] c:\windows\system32\cjyveiz.exe r
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IMwire] C:\WINDOWS\System32\imwireup.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [ELNKPCCINST] G:\elnk_pcc.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [wuhnrqe] C:\DOCUME~1\Jered\LOCALS~1\Temp\Rar$EX00.078\wuhnrqe.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\System32\ichckupd.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [dmime] C:\WINDOWS\System32\dmime.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [certmgr] C:\WINDOWS\System32\certmgr.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [CMIntex] "C:\Program Files\CMIntex\CMIntex.exe"
O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nosunex.mht!http://213.158.119.23/script/ys.chm::/ysb_regular.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154027707062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=200321117
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: SmartGenie (LxrSGe10s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSge10s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qvupeep.exe
 

·
Registered
Joined
·
2,335 Posts
Hello Jmiller1779, and welcome to TSF.


I am currently reviewing your log.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient during this review time.



Your system is heavily infected. I will return with a fix as soon as possible.
 

·
Registered
Joined
·
2,335 Posts
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.



IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.


----------------------------------------

We have a lot of work to do on this log. You haveadware, spyware, hijackers and dialers infecting you system
Please stay with me and we will get you cleaned.


----------------------------------------

DOWNLOADS


CLEANUP! version 4.52 – TEMP FILE CLEANING


Please download Cleanup! and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.



AVG Anti-Spyware 7.5



Please download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"





  1. Install AVG Anti-Spyware 7.5.
  2. Double-click the icon on Desktop to launch AVG A-S 7.5
  3. On the top of the main screen click Shield
  4. Click the word active to change it to inactive
  5. On the top of the main screen click Update.
  6. Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  7. I also recommend changing the "Update interval" to something more reasonable like 12 hours.




ISTBAR REMOVAL TOOL


Please download the ISTBar removal tool
from Symantec into it's own folder. Do not run it yet.



KILLBOX


Download KillBox (it's important that you get version v2.0.0.175)
Do not run it yet.




SMITFRAUD FIX

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.


ComboFix

1. Download this file - You MUST save it to your desktop

COMBOFIX

wE WILL USE THIS LATER

----------------------------------------

DISABLE NT SERVICES


Click Start->Run - type services.msc & then click on the OK button
*Locate the service - Windows Overlay Components
*Double-click on it to open the Properties dialog.
*Under the General tab: <--Take note and write down the *Service name given as we will need it shortly.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the *Service Name you found in the General Tab for Windows Overlay Components.
Do NOT allow a reboot yet.

Now repeat the steps for the next service



DISABLE NT SERVICES


Click Start->Run - type services.msc & then click on the OK button
*Locate the service - ISEXEng
*Double-click on it to open the Properties dialog.
*Under the General tab: <--Take note and write down the *Service name given as we will need it shortly.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the *Service Name you found in the General Tab for ISEXEng.
Do NOT allow a reboot yet.

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

NOTE: If you do not find a program listed, continue with the rest of the fix



AutoUpdate
BullsEye Network
CashBack
CMIntex
CMMan
Ebates_MoeMoneyMaker
ezula
NaviSearch
TV Media
VBouncer
Viewpoint Manager
Web Offer
Web_Rebates


----------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R3 - URLSearchHook: (no name) - ~20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O3 - Toolbar: Search - {C249374E-3E5C-EC64-01A1-2D01502E8C9D} - C:\WINDOWS\Mhlfbteq.dll (file missing)
O4 - HKLM\..\Run: [tfovxxi] C:\WINDOWS\tfovxxi.exe
O4 - HKLM\..\Run: [wspdag] c:\windows\system32\yyxitve.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner.exe /S
O4 - HKLM\..\Run: [tzccvxqwzel] C:\WINDOWS\System32\pjrupp.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [thknvurqzn] C:\WINDOWS\System32\pjrupp.exe
O4 - HKLM\..\Run: [sysdxvid] c:\windows\system32\sysdxvid.exe /nocomm
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [rumdhdsz] C:\WINDOWS\System32\pjrupp.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [pjrupp] c:\windows\system32\pjrupp.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [lzvlmnz] C:\WINDOWS\System32\rlrcsj.exe r
O4 - HKLM\..\Run: [kmmpmpp] c:\windows\system32\ivwcol.exe
O4 - HKLM\..\Run: [KeenValue] C:\Program Files\Common files\KeenValue\KeenValue.exe
O4 - HKLM\..\Run: [jsjasjw] c:\windows\system32\cjyveiz.exe r
O4 - HKLM\..\Run: [IMwire] C:\WINDOWS\System32\imwireup.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [wuhnrqe] C:\DOCUME~1\Jered\LOCALS~1\Temp\Rar$EX00.078\wuhnrqe.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [ichckupd] C:\WINDOWS\System32\ichckupd.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [dmime] C:\WINDOWS\System32\dmime.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [CMIntex] "C:\Program Files\CMIntex\CMIntex.exe
O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nosunex.mht!http://213.158.119.23/script/ys.chm::/ysb_regular.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minib...rand=200321117
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qvupeep.exe




Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Web_Rebates
C:\Program Files\Viewpoint
C:\Program Files\VBouncer
C:\Program Files\TV Media
C:\Program Files\NaviSearch
C:\PROGRAM FILES\MyDailyHoroscope
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\CashBack
C:\Program Files\BullsEye Network
C:\Program Files\AutoUpdate
C:\Program Files\CMMan
C:\Program Files\CMIntex
C:\Program Files\Web Offer
C:\Program Files\ezula

C:\Program Files\Common files\KeenValue
C:\Program Files\Common files\tsa

C:\WINDOWS\isrvs

wuhnrqe.exe
>>>Find via Start>>Search

----------------------------------------


KILLBOX

Launch KillBox.exe & select the following options:




  • Delete on Reboot
  • All files (if available)
Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\Mhlfbteq.dll
C:\WINDOWS\tfovxxi.exe
c:\windows\system32\yyxitve.exe
C:\WINDOWS\System\WINSTA~1.EXE
C:\WINDOWS\System\WinStart001.EXE
C:\WINDOWS\System\WinStart001.EXE
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\pjrupp.exe
c:\windows\system32\sysdxvid.exe
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\netsync.exe
c:\windows\system32\msdmxm.exe
C:\WINDOWS\System32\rlrcsj.exe
c:\windows\system32\ivwcol.exe
c:\windows\system32\cjyveiz.exe
C:\WINDOWS\System32\imwireup.exe
C:\WINDOWS\dinst.exe
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\ichckupd.exe
C:\WINDOWS\System32\dmime.exe
c:\counter.cab
c:\nosunex.mht
C:\WINDOWS\System32\angelex.exe
C:\WINDOWS\qvupeep.exe




In Killbox, go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File


Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click NO at the Pending Operations prompt. (Do not allow reboot)

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid."
when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

----------------------------------------

ISTBAR REMOVAL TOOL


Run the ISTBar removal Tool

----------------------------------------

SmitFraud - OPTION 2


Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
Reboot in Safe Mode.

The tool will create a log named c:\rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your
operating system is installed. Please post that log along with all others requested in your next reply.

----------------------------------------

RUNNING SCANNERS


Cleanup

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.


AVG Anti-Spyware 7.5

  • Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
    This scan can take quite a while to run, so be prepared.
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.



  • When the scan is complete click Recommended Action and change it to Quarantine (1),
  • If not click Recommended Action and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.



Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SECURE DESKTOP


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

  • "Security Info"
  • "Warning Message"
  • "Security Desktop"
  • "Warning Homepage"
  • "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

SmitFraud - OPTION 3

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.



Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford.
For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

----------------------------------------

ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


----------------------------------------

ComboFix


2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:\rapport.txt from SmitFraud
AVG A/S
Panda scan
c:\combofix.txt
A new HJT log run in Normal Mode


Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.
 

·
Registered
Joined
·
2,335 Posts
what is a dialer?
A dialer is a program, downloaded to your system, most likely without your knowledge, which allows your system to dial other web sites, usually foreign, at your expense. It is more harmful if you are on dial-up access or possibly
dsl which use phone lines, rather than a cable modem. These programs are responsible for huge phone bills.

my windows overlay components was already stopped
That's fine, just continue with the rest of the steps.
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #8 ·
Ok well I was unable to run Cleanup! or the Pandascan. The Cleanup! site was down and when i clicked on the scan now button for Pandascan, nothing happened at all. So far, todayswarnings.com is gone from internet explorer, but im still getting pop-ups from http://softshape.info/serve/.


Here's the log from Smitfraud:

SmitFraudFix v2.128

Scan done at 14:18:35.04, Tue 12/12/2006
Run from C:\Documents and Settings\Jered\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\mscornet.exe Deleted
C:\WINDOWS\system32\msvol.tlb Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\jered\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #9 ·
From AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:54:41 PM 12/12/2006

+ Scan result:



C:\WINDOWS\SYSTEM32\bfiebhic.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\pbpphphf.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334724.vxd/C:/WINDOWS/System32/exdl.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334724.vxd/C:/WINDOWS/System32/exul.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334724.vxd/C:/WINDOWS/System32/javexulm.vxd -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334724.vxd/C:/WINDOWS/System32/mqexdlm.srg -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334724.vxd/C:/WINDOWS/System32/msbe.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334724.vxd/C:/WINDOWS/System32/mscb.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334724.vxd/C:/WINDOWS/System32/nvms.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0335014.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Tools\tools.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1133\A0335093.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1133\A0335094.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1133\A0335096.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1133\A0335097.dll -> Adware.CASClient : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Webext -> Adware.Ezula : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0335012.dll -> Adware.F1Organizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{3E4563A4-2A9B-4912-BE38-906A0CB702CC} -> Adware.FastFind : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Bin\bin.dll -> Adware.FastWind : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0335016.DLL -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0335017.DLL -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0335018.DLL -> Adware.IGetNet : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox.rar/Mozilla Firefox\extensions\temp\temp-2zo.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox.rar/Mozilla Firefox\extensions\temp\temp-37v.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox.rar/Mozilla Firefox\extensions\temp\temp-6k.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox.rar/Mozilla Firefox\extensions\temp\temp-7g9.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox.rar/Mozilla Firefox\extensions\temp\temp-e5w.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox.rar/Mozilla Firefox\extensions\temp\temp-lse.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox.rar/Mozilla Firefox\extensions\temp\temp-qyo.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox.rar/Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\extensions\temp\temp-2zo.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\extensions\temp\temp-37v.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\extensions\temp\temp-6k.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\extensions\temp\temp-7g9.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\extensions\temp\temp-e5w.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\extensions\temp\temp-lse.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\extensions\temp\temp-qyo.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} -> Adware.Isearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{950238FB-C706-4791-8674-4D429F85897E} -> Adware.Isearch : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Tools\tools.exe -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334986.exe -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\imwireup.exe -> Adware.SafeSurfing : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\pdrpdb.dll -> Adware.SafeSurfing : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{70230839-555C-4862-8D42-BB1E2352502C} -> Adware.SafeSurfing : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\u6f6uftuc.ini -> Adware.Sahat : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\umqltg4cl.ini -> Adware.Sahat : Cleaned with backup (quarantined).
HKU\S-1-5-21-796022607-2241515254-479130652-1006\Software\Bundles -> Adware.SecondThought : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1101\A0321575.exe -> Downloader.Delf.ain : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\istinstall_adlogix.exe -> Downloader.IstBar.er : Cleaned with backup (quarantined).
C:\WINDOWS\MM32.exe -> Downloader.Small.aak : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM\N0.exe -> Downloader.Small.rg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1134\A0336104.exe -> Downloader.VB.hj : Cleaned with backup (quarantined).
C:\WINDOWS\offun.exe -> Downloader.VB.hw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1134\A0336129.tlb -> Downloader.Zlob.gn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1134\A0336105.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Tools\1002.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334984.dll -> Hijacker.StartPage.ku : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334729.exe -> Logger.Agent.dq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1131\A0334595.dll -> Not-A-Virus.Hoax.Win32.Renos.bg : Cleaned with backup (quarantined).
:mozilla.631:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.467:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.513:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.51:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.52:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.53:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.54:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.55:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.56:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.57:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.59:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.60:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.61:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.62:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.63:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.641:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.64:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.65:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jered\Cookies\[email protected][1].txt -> TrackingCookie.Abetterinternet : Cleaned.
:mozilla.181:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.182:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.183:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.185:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.186:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.187:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.188:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.189:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.192:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.523:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.524:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.638:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.639:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.46:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.47:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.48:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.49:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.50:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.45:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.129:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.383:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.354:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.355:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.193:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.194:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.200:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.605:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.38:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.444:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.445:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.32:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.33:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.34:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.35:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.36:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.37:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.585:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.66:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.67:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.68:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.69:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.70:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.71:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.101:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.102:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.103:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.485:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.660:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.394:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.395:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.396:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.527:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.528:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.143:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.144:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Jered\Cookies\[email protected][2].txt -> TrackingCookie.Mx-targeting : Cleaned.
:mozilla.398:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.399:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.400:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.125:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.126:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.127:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.128:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.141:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.142:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.405:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.264:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.265:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.266:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.267:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.268:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.234:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.235:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.236:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.237:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.238:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.346:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.347:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.348:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.349:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.350:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.351:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.352:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.152:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.155:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.156:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.454:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.273:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.274:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.275:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.276:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.277:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.278:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.279:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.280:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.282:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.130:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.131:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.132:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.133:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.134:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.135:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.218:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.364:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.365:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.366:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.367:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.368:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.369:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.401:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.190:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.191:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.145:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.146:C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0335010.exe -> Trojan.SecondThought.ai : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\id113.exe -> Trojan.SecondThought.ak : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334991.exe -> Trojan.SecondThought.bf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334992.exe -> Trojan.SecondThought.bg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1132\A0334990.exe -> Trojan.SecondThought.bp : Cleaned with backup (quarantined).
C:\Program Files\AIM95\icbmft.ocm -> Worm.AimVen : Cleaned with backup (quarantined).


::Report end
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #10 ·
Log From ComboFix:

Jered - 06-12-12 16:09:09.75 Service Pack 1
ComboFix 06-12-01.3W-BetaE - Running from: "C:\Documents and Settings\Jered\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\INSTALL.LOG
C:\WINDOWS\pf78.exe
C:\WINDOWS\system32\aamd532.dll
C:\WINDOWS\system32\tpuninstall.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\Program Files\cmfibula


((((((((((((((((((((((((((((((( Files Created from 2006-11-12 to 2006-12-12 ))))))))))))))))))))))))))))))))))


2006-12-12 14:18 1,432 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2006-12-12 12:38 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-12 12:38 <DIR> d-------- C:\Program Files\Grisoft
2006-12-10 00:22 <DIR> d-------- C:\Program Files\PSCastor
2006-12-10 00:16 <DIR> d-------- C:\HJT
2006-12-09 23:05 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-09 23:05 <DIR> d-------- C:\Documents and Settings\Jered\Application Data\Lavasoft
2006-12-08 16:15 <DIR> d-------- C:\Program Files\Roguescanfix
2006-11-30 14:22 <DIR> d-------- C:\Documents and Settings\Jered\.realobjects
2006-11-20 12:29 <DIR> d-------- C:\Program Files\NothxAPP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-12 16:10 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-09 23:32 -------- d-------- C:\Program Files\Internet Explorer
2006-11-29 19:48 -------- d-------- C:\Program Files\Java
2006-10-30 10:46 2268 --a------ C:\WINDOWS\swn32reg.dll
2006-10-26 13:23 -------- d-------- C:\Documents and Settings\Jered\Application Data\AdobeUM
2006-10-25 13:00 -------- d-------- C:\Program Files\AIM95
2006-10-25 12:52 -------- d-------- C:\Documents and Settings\Jered\Application Data\Talkback
2006-10-18 11:33 -------- d-------- C:\Program Files\Warcraft III
2006-10-18 10:39 -------- d-------- C:\Program Files\iTunes
2006-10-18 10:39 -------- d-------- C:\Documents and Settings\Jered\Application Data\Apple Computer
2006-10-18 10:38 -------- d-------- C:\Program Files\QuickTime
2006-10-18 10:38 -------- d-------- C:\Program Files\iPod
2006-10-18 10:36 -------- d-------- C:\Program Files\Apple Software Update
2006-10-15 22:59 2437445 --a------ C:\Program Files\FFXI App.zip
2006-10-15 22:59 2006198 --a------ C:\Program Files\FFXI App.rar


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KeenValue.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KeenValue.lnk"
"backup"="C:\\WINDOWS\\pss\\KeenValue.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\Common Files\\KeenValue\\keenvalue.exe "
"item"="KeenValue"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alchem]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="alchem"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\alchem.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AutoUpdate"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCMSMMSG"
"hkey"="HKLM"
"command"="BCMSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bargains"
"hkey"="HKLM"
"command"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bxxs5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bxxs5"
"hkey"="HKLM"
"command"="RunDLL32.EXE C:\\WINDOWS\\bxxs5.dll,DllRun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CashBack]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cashback"
"hkey"="HKLM"
"command"="C:\\Program Files\\CashBack\\bin\\cashback.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\certmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="certmgr"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\certmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMFibula]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CMFibula"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\CMFibula\\CMFibula.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMIntex]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CMIntex"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\CMIntex\\CMIntex.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CMMan"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\CMMan\\CMMan.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="desktop"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\isrvs\\desktop.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dinst]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dinst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\dinst.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmime]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dmime"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\dmime.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TaskPanl"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe\" -winstart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Earthlink Protection Control Center]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="elnk_pcc"
"hkey"="HKLM"
"command"="C:\\Program Files\\EarthLink\\Protection Control Center\\elnk_pcc.exe /minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EbatesMoeMoneyMaker0"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Ebates_MoeMoneyMaker\\EbatesMoeMoneyMaker0.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ELNKPCCINST]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="elnk_pcc"
"hkey"="HKLM"
"command"="G:\\elnk_pcc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZmmod]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmod"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\ezula\\mmod.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wo"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\Web Offer\\wo.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="farmmext"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\farmmext.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ffis]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ffisearch"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ichckupd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ichckupd"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ichckupd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMEKRMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMwire]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="imwireup"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\imwireup.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="point32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jsjasjw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cjyveiz"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\cjyveiz.exe r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeenValue]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KeenValue"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common files\\KeenValue\\KeenValue.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kmmpmpp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ivwcol"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\ivwcol.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lzvlmnz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rlrcsj"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\rlrcsj.exe r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SetHook"
"hkey"="HKLM"
"command"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msdmxm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msdmxm"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\msdmxm.exe /nocomm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyDailyHoroscope]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MYDAIL~1"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\MYDAIL~1\\MYDAIL~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="navapw32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NaviSearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nls"
"hkey"="HKLM"
"command"="C:\\Program Files\\NaviSearch\\bin\\nls.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMCTRAY"
"hkey"="HKCU"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pjrupp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pjrupp"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\pjrupp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RSync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="netsync"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\netsync.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rumdhdsz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pjrupp"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\pjrupp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SahAgent"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\SahAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\satmat]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="satmat"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\satmat.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyFalcon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyFalcon"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpyFalcon\\SpyFalcon.exe /h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stcloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="stcloader"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\stcloader.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysdxvid]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sysdxvid"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\sysdxvid.exe /nocomm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tfovxxi]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfovxxi"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\tfovxxi.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\thknvurqzn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pjrupp"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\pjrupp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tsa2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tsm2"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\tsa\\tsm2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Media]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Tvm"
"hkey"="HKLM"
"command"="C:\\Program Files\\TV Media\\Tvm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tzccvxqwzel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pjrupp"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\pjrupp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncerDL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VBouncerInner"
"hkey"="HKLM"
"command"="C:\\Program Files\\VBouncer\\VBouncerInner.exe /S"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Warning: do not remove it!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fpplock"
"hkey"="HKLM"
"command"="fpplock.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WebRebates0"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wupdt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wupdt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINSTA~1.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WINSTA~1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System\\WINSTA~1.EXE -b"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wspdag]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yyxitve"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\yyxitve.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wuhnrqe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wuhnrqe"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Jered\\LOCALS~1\\Temp\\Rar$EX00.078\\wuhnrqe.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061212-130644-707
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=200321117
backup-20061212-130644-398
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nosunex.mht!http://213.158.119.23/script/ys.chm::/ysb_regular.cab
backup-20061212-130643-233
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
backup-20061212-130643-406
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
backup-20061212-130643-603
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20061212-130643-144
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20061212-130643-229
O1 - Hosts: 216.130.185.143 www.xzoomy.com
backup-20061212-130643-180
O1 - Hosts: 216.130.185.143 websearch.com
backup-20061212-130643-842
O1 - Hosts: 216.130.185.143 adwave.com
backup-20061212-130643-287
O1 - Hosts: 216.130.185.143 advnt01.com
backup-20061212-130643-315
O1 - Hosts: 216.130.185.143 adwave.com
backup-20061212-130643-332
O1 - Hosts: 216.130.185.143 www.advnt01.com
backup-20061212-130643-902
O1 - Hosts: 216.130.185.143 www.adwave.com
backup-20061212-130643-343
O1 - Hosts: 216.130.185.143 www.xzoomy.com
backup-20061212-130643-895
O3 - Toolbar: Search - {C249374E-3E5C-EC64-01A1-2D01502E8C9D} - C:\WINDOWS\Mhlfbteq.dll (file missing)
backup-20061212-130643-407
O1 - Hosts: 216.130.185.143 xzoomy.com
backup-20061212-130643-618
O1 - Hosts: 216.130.185.143 websearch.com
backup-20061212-130643-480
O1 - Hosts: 216.130.185.143 www.xzoomy.com
backup-20061212-130643-482
O1 - Hosts: 216.130.185.143 www.adwave.com
backup-20061212-130643-490
O1 - Hosts: 216.130.185.143 www.advnt01.com
backup-20061212-130643-614
O1 - Hosts: 216.130.185.143 advnt01.com
backup-20061212-130643-524
O1 - Hosts: 216.130.185.143 xzoomy.com
backup-20061212-130643-556
O1 - Hosts: 216.130.185.143 advnt01.com
backup-20061212-130643-714
O1 - Hosts: 216.130.185.143 www.advnt01.com
backup-20061212-130643-599
O1 - Hosts: 216.130.185.143 xzoomy.com
backup-20061212-130643-587
O1 - Hosts: 216.130.185.143 adwave.com
backup-20061212-130643-608
O1 - Hosts: 216.130.185.143 websearch.com
backup-20061212-130643-495
O1 - Hosts: 216.130.185.143 www.xzoomy.com
backup-20061212-130643-448
O1 - Hosts: 216.130.185.143 xzoomy.com
backup-20061212-130643-673
O1 - Hosts: 216.130.185.143 adwave.com
backup-20061212-130643-690
O1 - Hosts: 216.130.185.143 www.advnt01.com
backup-20061212-130643-341
O1 - Hosts: 216.130.185.143 www.adwave.com
backup-20061212-130643-751
O1 - Hosts: 216.130.185.143 www.xzoomy.com
backup-20061212-130643-758
O1 - Hosts: 216.130.185.143 adwave.com
backup-20061212-130643-149
O1 - Hosts: 216.130.185.143 www.adwave.com
backup-20061212-130643-249
O1 - Hosts: 216.130.185.143 xzoomy.com
backup-20061212-130643-854
O1 - Hosts: 216.130.185.143 advnt01.com
backup-20061212-130643-875
O1 - Hosts: 216.130.185.143 www.websearch.com
backup-20061212-130643-207
O1 - Hosts: 216.130.185.143 websearch.com
backup-20061212-130643-972
O1 - Hosts: 216.130.185.143 www.advnt01.com
backup-20061212-130643-944
O1 - Hosts: 216.130.185.143 www.adwave.com
backup-20061212-130643-965
O1 - Hosts: 216.130.185.143 advnt01.com
backup-20061212-130643-142
O1 - Hosts: 216.130.185.143 websearch.com
backup-20061212-130643-781
R3 - URLSearchHook: (no name) - ~20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
backup-20061212-130643-176
O1 - Hosts: 216.130.185.143 websearch.com

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\ISP signup reminder 1.job

Completion time: 06-12-12 16:12:32.57
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #11 ·
And heres the HJT Log:


Logfile of HijackThis v1.99.1
Scan saved at 4:27:52 PM, on 12/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AssistantLibrary - {04CDB16C-AB38-43CD-A86A-6FEB90290939} - C:\Program Files\PadsysAssistant\AssistantLibrary.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154027707062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartGenie (LxrSGe10s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSge10s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #12 ·
My system is performing pretty much like it did before all the scans. I don't think it's gotten any faster. My Firefox is also acting a little funny; the status bar at the bottom got enlarged and now it takes a little longer to open.
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #13 ·
Finally got Pandascan working. Here's the log:


Incident Status Location

Adware:adware program Not disinfected c:\windows\system32\data.~
Adware:adware/beginto Not disinfected c:\windows\system32\dsktrf.dll
Adware:adware/ilookup Not disinfected c:\windows\system32\hotbod123121.ico
Adware:adware/exact.bargainbuddy Not disinfected c:\windows\system32\psis80ex.ax
Adware:adware/portalscan Not disinfected c:\windows\bundles\2504040901.exe
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Jered\Application Data\tvmcwrd.dll
Adware:adware/isearch Not disinfected c:\windows\delprot.ini
Adware:adware/downloadware Not disinfected c:\windows\Digital Signature 20040917.htm
Adware:adware/fisearch Not disinfected c:\program files\iSearch Firefox Installer
Potentially unwanted tool:application/myway Not disinfected c:\program files\MySearch
Adware:adware/transponder Not disinfected c:\windows\inst
Adware:adware/popper Not disinfected Windows Registry
Spyware:spyware/betterinet Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Spyware:spyware/dluca Not disinfected Windows Registry
Spyware:spyware/safesurf Not disinfected Windows Registry
Adware:adware/fastfind Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Virus:Trj/SubSearch.I Disinfected C:\Documents and Settings\All Users\Application Data\IEService\IEService.dll
Virus:Trj/SubSearch.I Disinfected C:\Documents and Settings\All Users\Application Data\IEService\IEService.exe
Adware:Adware/FastFind Not disinfected C:\Documents and Settings\All Users\Application Data\IEService\v28.exe
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jered\Cookies\[email protected][2].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Jered\Cookies\[email protected][1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Jered\Cookies\[email protected][2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jered\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jered\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jered\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Jered\My Documents\My Received Files\FFXIApp.zip[FFXIApp/FFXIAppPatch.exe]
Virus:Trj/Downloader.AEE Disinfected C:\HJT\backups\backup-20061212-130643-233.inf
Spyware:Spyware/LinkReplacer Not disinfected C:\Program Files\iSearch Firefox Installer\uninst.exe
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL
Virus:Trj/SubSearch.I Disinfected C:\WINDOWS\SYSTEM\IEService.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\abasa5jrp.ini
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\desktrf.exe[winbbb.dat]
Adware:Adware/EQMini Not disinfected C:\WINDOWS\SYSTEM32\EQMini.dll
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\hochkaod3.ini
Hacktool:HackTool/SRunner.B Not disinfected C:\WINDOWS\SYSTEM32\instsrv.exe
Possible Virus. Not disinfected Personal Folders\Outbox\bot\FFXIAPP.rar[FFXIAPP\FFXIAPP\****APP.exe]
 

·
Registered
Joined
·
2,335 Posts
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.



IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

You're system is still heavily infected. We got a lot in the first round, but there's still more work to do.

----------------------------------------

Please submit the following file to Jotti File Scan

C:\WINDOWS\swn32reg.dll


At the top of the window you should see "File to Upload & Scan" and a blank box. Copy and paste the red text from above into the box.
Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" back in this thread.

----------------------------------------

Clear Firefox' Cookies

  • Open Firefox.
  • Click Tools » Options.
  • Click the Privacy tab, then the Cookies tab.
  • Click the Clear Cookies Now button.
  • Then click OK to exit.



Clean Temporary Files

  • Go to Start » Run » type: cleanmgr » OK.
  • Choose (C:) and then click OK.
  • Make sure these are the only ones that are checked :
    • Temporary Internet Files
    • Temporary Files
    • Recycle Bin
  • Click OK to remove them.
  • Click Yes to confirm the deletion.



CLEAR AVG A/S QUARANTINE

  • Launch AVG A/S
  • Click on Show Quarantine
  • Click on Select All
  • Click on Remove Finally
  • Close AVG A/S



Clean-out and Reset System Restore

This will clean out any junk or malicious files left behind in System Restore

  • To turn off System Restore click Start > Right Click My Computer > Properties.
  • Click the System Restore tab and Check
  • "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply.
  • When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

  • Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties.
  • Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
  • Click Apply, and then OK.

This will create a new Restore Point.

----------------------------------------



DOWNLOADS



Brute Force Uninstaller


Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".



RIGHT-CLICK HERE
and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet

----------------------------------------

REGISTRY FIX

Download the attached miller.zip file at the bottom of this post to your desktop. Double click on the zip folder,
then double click on the .reg file within.
Click yes to allow it to merge into your registry.

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

If any of the below files/folders do not exist, please continue with the fix


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

NothxAPP
iSearch Firefox Installer>>>Please note that this is NOT related to your Firefox browser
MySearch


----------------------------------------


UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\NothxAPP
c:\program files\iSearch Firefox Installer
c:\program files\MySearch

Personal Folders\Outbox\bot

c:\windows\inst

c:\windows\system32\dsktrf.dll
c:\windows\system32\hotbod123121.ico
c:\windows\system32\psis80ex.ax
C:\WINDOWS\SYSTEM32\abasa5jrp.ini
C:\WINDOWS\SYSTEM32\desktrf.exe
C:\WINDOWS\SYSTEM32\EQMini.dll
C:\WINDOWS\SYSTEM32\hochkaod3.ini
C:\WINDOWS\SYSTEM32\instsrv.exe

c:\windows\bundles\2504040901.exe
c:\windows\delprot.ini
c:\windows\Digital Signature 20040917.htm

C:\Documents and Settings\Jered\Application Data\tvmcwrd.dll

****APP.exe
>>>Find via Start>>Search

----------------------------------------

Brute Force Uninstaller

Please go to Start > My Computer and navigate to the C:BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Beside the scriptline to execute field click the folder icon
    and select alcanshorty.bfu by double clicking on it.
  • Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.





Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------


ON-LINE SCANS


Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
    We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:


Kaspersky scan
A new HJT log run in Normal Mode


Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.
 

Attachments

·
Registered
Joined
·
23 Posts
Discussion Starter · #15 ·
Jotti File Scan:

Service load:
0% 100%
File: swn32reg.dll
Status:
OK
MD5 7d527b034a7348d43a96321045f1b310
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #17 ·
Kaspersky results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 13, 2006 5:06:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/12/2006
Kaspersky Anti-Virus database records: 250556
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 94912
Number of viruses found: 15
Number of infected objects: 32 / 0
Number of suspicious objects: 1
Duration of the scan process: 01:08:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\IEService\v28.exe Infected: Trojan-Dropper.Win32.VB.cd skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\history.dat Object is locked skipped
C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\key3.db Object is locked skipped
C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jered\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jered\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Jered\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jered\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jered\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/07 Aug 2005 19:12 from Paypal Security:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/06 Aug 2005 18:19 from Paypal Security:New Security Requirements.html Infected: Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Application Data\Mozilla\Firefox\Profiles\4xbfzg1k.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\History\History.IE5\MSHist012006121320061214\index.dat Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Temp\~DF4CCB.tmp Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Temporary Internet Files\Content.IE5\8HI3KTA7\CAUVG963.swf Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Temporary Internet Files\Content.IE5\GLIJOPIV\CAORIPA1.swf Object is locked skipped
C:\Documents and Settings\Jered\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jered\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jered\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\HJT\backups\backup-20061212-130644-398 Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\NewDotNet\newdotnet6_38.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\NewDotNet\uninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc11\bar\1.bin\NPMYSRCH.DLL Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc11\bar\1.bin\S42NS.EXE Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc11\bar\1.bin\S4BAR.DLL Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc12.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.b skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc16.exe/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.b skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc16.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc19.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc19.exe/WISE0006.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc19.exe/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.c skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc19.exe/WISE0008.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc19.exe/WISE0008.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc19.exe WiseSFX: infected - 5 skipped
C:\RECYCLER\S-1-5-21-796022607-2241515254-479130652-1006\Dc19.exe WiseSFX Dropper: infected - 5 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1136\change.log Object is locked skipped
C:\WINDOWS\bundles\icDW1.exe/DW1 AV2.exe/data0003 Infected: Trojan.Win32.QuickBrowser.c skipped
C:\WINDOWS\bundles\icDW1.exe/DW1 AV2.exe Infected: Trojan.Win32.QuickBrowser.c skipped
C:\WINDOWS\bundles\icDW1.exe ZIP: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inst\3p.exe/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\WINDOWS\inst\3p.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\WINDOWS\inst\3p.exe WiseSFX: infected - 2 skipped
C:\WINDOWS\jzyzsoc.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\EQMini.dll Infected: not-a-virus:AdWare.Win32.CASClient.o skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\w0280155.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #18 ·
New report from Hijack This:


Logfile of HijackThis v1.99.1
Scan saved at 5:08:10 PM, on 12/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINDOWS\System32\DomainHelper.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [jzyzsocA] C:\WINDOWS\jzyzsocA.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [ktk25167] RUNDLL32.EXE w0280155.dll,n 00725160000000050280155
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154027707062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartGenie (LxrSGe10s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSge10s.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #19 ·
My computer is running slightly faster now. Still getting the occasional pop-up as well. When i tried to run cleanmgr, it brought up the Disk Cleanup box, but it stayed stuck at 3 bars and didnt do anything for an hour.
 

·
Registered
Joined
·
2,335 Posts
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.



IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

That round took out a lot of junk and also brought out some more. I'm not surprised at the pop-ups. Let's go to round #2

----------------------------------------

DOWNLOADS


LSPFIX

Download LSPFix.exe
We will use this later.



ComboFix


1. Download this file - You MUST save it to your desktop

COMBOFIX

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

NewDotNet and/or NewNet

----------------------------------------


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINDOWS\System32\DomainHelper.dll
O4 - HKLM\..\Run: [jzyzsocA] C:\WINDOWS\jzyzsocA.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [ktk25167] RUNDLL32.EXE w0280155.dll,n 00725160000000050280155



While running Hijackthis, verify if these entries still exist:

O10 - Hijacked Internet access by New.Net


If they exist, we would be required to run LSPFix.exe



Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

LSPFIX


Instructions for using LSPFix

  1. Double click on LSPFix.exe to run it.
  2. Once running, you will be required to tick the disclaimer – "I know what I'm doing".
  3. You'll find a window with 2 panes.
  4. In the left pane which is labeled Keep, select all instances of newdotnet6_38.dll and anything that has NewDotNet
  5. Then click on the arrow pointing to the right, >>.
  6. This will move the entry to the right pane labeled Remove
  7. Click the Finish button to complete the fix.


If you are unsure about removing certain files, please come back and post the filenames here and I will advise you how to proceed.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\NewDotNet

C:\Documents and Settings\All Users\Application Data\IEService

C:\WINDOWS\jzyzsoc.exe
C:\WINDOWS\jzyzsocA.exe

C:\WINDOWS\bundles\icDW1.exe
C:\WINDOWS\inst\3p.exe

C:\WINDOWS\System32\DomainHelper.dll
C:\WINDOWS\SYSTEM32\EQMini.dll
C:\WINDOWS\SYSTEM32\w0280155.dll


Next - Open Outlook and navigate to ALL MAIL FOLDERS>>>Personal Folders>>>Deleted Items

Empty the contents of the Deleted Items folder

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

ComboFix


2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

FOLLOW-UP

Please return and post these items:


c:\combofix.txt
A new HJT log run in Normal Mode


Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.
 
1 - 20 of 25 Posts
Status
Not open for further replies.
Top