Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
55 Posts
Discussion Starter #1
HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:35 PM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121610960486
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4739F186-F250-4D79-AB13-D8E1A4056DC6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE1CFC38-879C-431A-A40E-B462E54D7503}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{4739F186-F250-4D79-AB13-D8E1A4056DC6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS4\Services\Tcpip\..\{4739F186-F250-4D79-AB13-D8E1A4056DC6}: NameServer = 69.50.176.198,85.255.112.12
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...02/cpbrkpie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4739F186-F250-4D79-AB13-D8E1A4056DC6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE1CFC38-879C-431A-A40E-B462E54D7503}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{4739F186-F250-4D79-AB13-D8E1A4056DC6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS4\Services\Tcpip\..\{4739F186-F250-4D79-AB13-D8E1A4056DC6}: NameServer = 69.50.176.198,85.255.112.12


Restart in normal mode now.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Restart your system and run a new HijackThis scan. Save the log file and post it here.
 

·
Registered
Joined
·
55 Posts
Discussion Starter #3
first

before i post results to that string, i have a problem with AdAware. it gets hung up on something before completing its scan. usually, its around "objects scanned: 110,000" but sometimes it makes it further. i wait and wait, but it doesn't ever finish. i uninstalled and reinstalled with no results.
suggestions?
or should i go ahead and finish up everything else?
Thanks for your help!!
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi kirsten514,

Are you running AdAware in Safe Mode? If so, and it's still causing problems, just go ahead and continue with the rest of tetonbob's instructions. :smile:
 

·
Registered
Joined
·
55 Posts
Discussion Starter #5
hijackthis log

ok, i went through all of tetonbob's instructions, and i have a new hijackthis log AND activescan from panda scan....

Logfile of HijackThis v1.99.1
Scan saved at 4:08:15 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121610960486
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Panda Active scan


Incident Status Location

Virus:Trj/Qhost.BP Disinfected Operating system
Spyware:spyware/betterinet No disinfected C:\WINDOWS\SYSTEM32\msexnpfi.exe
Spyware:spyware/wareout No disinfected C:\Documents and Settings\Russ\Application Data\wo.tmp
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Virus:Trj/Downloader.DGM Disinfected C:\command.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Kirsten Marks\Local Settings\Temp\AutoUpdate0\auto_update_install.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Kirsten Marks\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/Startpage.CFE No disinfected C:\Documents and Settings\Kirsten Marks\Local Settings\Temp\twc\installer\bin\AddFavorites.vbs
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Kirsten Marks\Local Settings\Temp\~apropos0\CxtPls.exe
Virus:Trj/Downloader.AAU Disinfected C:\Documents and Settings\Kirsten Marks\Local Settings\Temp\~apropos0\ph.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Kirsten Marks\Local Settings\Temp\~apropos0\pm.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\AutoUpdate0\auto_update_uninstall.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\conscorr.ini
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\i15.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\SskUpdater.exe
Adware:Adware/AdLogix No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\temp.fr75A8
thanks for any help!!
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Delete these 3 files:

C:\WINDOWS\SYSTEM32\msexnpfi.exe
C:\Documents and Settings\Russ\Application Data\wo.tmp
C:\WINDOWS\rdt.ini



Next, go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  1. Select Drive C: & click the 'OK' button
  2. Select the following options:
    • Temporary Internet Files
      [*] Recycle Bin
      [*] Temporary Files
  3. Click the 'OK' button


Then print out these rest of these instructions for reference as you will have to restart your computer during the fix. An internet connection is required as the installer will need to download other files during the fix.

Please download & Install - FixWareout.exe

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

After you have restarted, wait for HijackThis to launch automatically.
Please click Scan, and check the following items:

O1 - Hosts: localhost 127.0.0.1

Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:fixwareoutreport.txt, along with a new HijackThis log.
 

·
Registered
Joined
·
55 Posts
Discussion Starter #7
fixwareout, hijackthis logs

FIXWAREOUT
Fixwareout ver 1.002
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\pgtshlld
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nidnsdr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23naelch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\aplnsftn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23rtcdaol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\17
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\20
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\21
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\22
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\24
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\27
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\28
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\29
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\30
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\31
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\33
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\34
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\36
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\38
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\39
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\41
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\42
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\45
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\46
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\48
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\49
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\51
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\52
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\53
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\55
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\56
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\58
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\59
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\60
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\62
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\63
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\65
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\67
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\68
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\69
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\70
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\72
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\73
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\75
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\76
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\77
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\89
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\92
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\94
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\95
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\96
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\98
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\99
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\102
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\104
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\105
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\106
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\107
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\108
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\109
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\110
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\111
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\112
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\113
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\114
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\115
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\116
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\117
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\118
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\120
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\121
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\122
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\123
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\124
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\125
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\126
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\127
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\128
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\129
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\130
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\131
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\132
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\133
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\134
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\135
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\136
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\137
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\138
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\139
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\140
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\141
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\142
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\143
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\144
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\145
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\146
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\147
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\148
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\150
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\151
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\152
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\153
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\154
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\155
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\156
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\157
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\158
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\159
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\160
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\162
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\163
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\164
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\165
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\166
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\167
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\168
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\169
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\170
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\171
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\172
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\173
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\174
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\175
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\176
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\177
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\178
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\179
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\180
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\181
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\182
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\183
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\184
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\185
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\186
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\187
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\188
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\189
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\191
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\192
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\193
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\194
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\195
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\196
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\197
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\198
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\199
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\200
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\201
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\202
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\203
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\204
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\205
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\206
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\207
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\208
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\209
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\210
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\211
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\213
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ldwmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\pgtshlld
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nidnsdr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23naelch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ytpme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eilcctrec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ifpnxesm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\aplnsftn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23rtcdaol

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSYBD.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool


hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 9:09:41 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\fixwareout\SUB\BFU.exe
C:\Program Files\HijackThis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmwdl.exe] C:\WINDOWS\system32\dmwdl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121610960486
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [dmwdl.exe] C:\WINDOWS\system32\dmwdl.exe

Locate the following Files/Folders and delete them if they exist:

C:\WINDOWS\system32\dmwdl.exe
C:\WINDOWS\SYSTEM32\CSYBD.EXE


Restart in normal mode.

Run a new scan with Panda.

Now run a new HijackThis scan. Save the log file and post it here along with the log from Ewido and Panda ActiveScan.
 

·
Registered
Joined
·
55 Posts
Discussion Starter #9
3 saved logs

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:05:26 AM, 10/11/2005
+ Report-Checksum: 927BA0FD

+ Scan result:

C:\Program Files\HijackThis\backups\backup-20051008-000213-574.dll -> Spyware.Coupons : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP18\A0001973.exe -> Spyware.FindSpy : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP27\A0007760.exe -> Spyware.Msnagent : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP28\A0007775.exe -> Spyware.FindSpy : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP28\A0007776.exe -> Spyware.Msnagent : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP29\A0007792.exe -> TrojanDropper.Vidro.u : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP29\A0007796.exe -> Spyware.FindSpy : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP29\A0007797.exe -> Spyware.Msnagent : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP30\A0007805.exe -> Trojan.Qhost.qr : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP32\A0007882.exe -> Trojan.Qhost.qr : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007902.exe -> Spyware.Msnagent : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007906.exe -> TrojanDropper.Vidro.u : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007911.exe -> TrojanDropper.Vidro.u : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP45\A0014025.exe -> Spyware.Msnagent : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP49\A0014109.exe -> Spyware.FindSpy : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP49\A0014110.exe -> Spyware.Msnagent : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP58\A0014320.exe -> Spyware.FindSpy : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP58\A0014321.exe -> Spyware.Msnagent : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP67\A0015083.exe -> Spyware.FindSpy : Ignored
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0016110.exe -> Spyware.FindSpy : Ignored
C:\WINDOWS\system32\dmehg.exe -> TrojanDropper.Vidro.u : Ignored
C:\WINDOWS\system32\dmrpg.exe -> TrojanDropper.Vidro.u : Ignored
HKU\S-1-5-21-1801674531-1677128483-1060284298-1005\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{BF69DF00-2734-477F-8257-27CD04F88779} -> TrojanDownloader.Wareout : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected]o.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\Kirsten Brasfield\Cookies\kirsten [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Kirsten Brasfield\Cookies\kirsten [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Russ\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Russ\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Russ\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Russ\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Russ\Cookies\[email protected][1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Russ\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Russ\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Russ\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\AutoUpdate0\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\Cookies\russ [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\i15.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\temp.fr75A8 -> Spyware.Adstart : Cleaned with backup
C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\~apropos0\CxtPls.exe -> TrojanDownloader.Envolo.a : Cleaned with backup
C:\HijackThis\backups\backup-20041111-210159-737.dll -> TrojanDownloader.Envolo.a : Cleaned with backup
C:\HijackThis\backups\backup-20041114-232709-667.dll -> TrojanDownloader.Envolo.a : Cleaned with backup
C:\Recycled\Q330995.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP18\A0001985.dll -> TrojanDownloader.Adload.g : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP18\A0002070.dll -> TrojanDownloader.Adload.g : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP27\A0007759.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP27\A0007763.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP27\A0007767.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP28\A0007773.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP29\A0007795.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP33\A0007884.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007900.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007901.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007917.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007920.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP39\A0011107.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP39\A0011134.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP39\A0011768.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP39\A0011782.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP40\A0011816.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP40\A0011824.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP41\A0011972.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP41\A0011977.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP44\A0014018.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP48\A0014088.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP48\A0014092.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP58\A0014309.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP58\A0014314.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP59\A0014387.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP59\A0014394.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP59\A0014398.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP59\A0014414.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP59\A0014419.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP60\A0014426.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP60\A0014451.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP60\A0014454.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP60\A0014457.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP61\A0014464.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP61\A0014467.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP61\A0014472.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP61\A0014508.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP61\A0014513.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP64\A0014536.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP64\A0014542.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP64\A0014560.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP64\A0014566.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP65\A0014595.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014873.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014877.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014882.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014886.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014888.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014889.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014890.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014892.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014896.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014967.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP66\A0014971.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP67\A0015034.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP67\A0015040.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP67\A0015044.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP67\A0015082.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP67\A0015084.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0015096.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0015099.ocx -> Spyware.Coupons : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0015101.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0016101.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0016105.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0016109.exe -> Trojan.Qhost.qr : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0016111.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0016112.exe -> TrojanDropper.Delf.ev : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0016113.exe -> TrojanDownloader.Apropo.o : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP69\A0017101.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP69\A0017105.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP69\A0017115.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\csybd.exe -> TrojanDropper.Vidro.u : Cleaned with backup


::Report End

Active Scan

Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Kirsten\Local Settings\Temporary Internet Files\Content.IE5\GD63W5I7\menus[2].js
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\conscorr.ini
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\SskUpdater.exe
Spyware:Spyware/LocalNRD No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temp\THI4C75.tmp\localNrd.inf
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Russ Brasfield\Local Settings\Temporary Internet Files\Content.IE5\RSKF75XS\sexyfunnycartoons[1].htm
Adware:Adware/TopSpyware No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP18\A0001973.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP27\A0007760.exe
Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP28\A0007775.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP28\A0007776.exe
Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP29\A0007792.exe
Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP29\A0007796.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP29\A0007797.exe
Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP30\A0007805.exe
Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP32\A0007882.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007902.exe
Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007906.exe
Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP34\A0007911.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP45\A0014025.exe
Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP49\A0014109.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP49\A0014110.exe
Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP58\A0014320.exe
Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP58\A0014321.exe
Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP67\A0015083.exe
Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP68\A0016110.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP69\A0019121.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP69\A0019122.exe
Virus:Trj/Vidro.D Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP69\A0019125.exe
Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP69\A0019126.exe
Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP70\A0019131.exe
Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{8D308AD2-7604-4675-9966-B3012C93E471}\RP70\A0020131.exe
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\system32\dmehg.exe
Logfile of HijackThis v1.99.1
Scan saved at 9:09:41 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\fixwareout\SUB\BFU.exe
C:\Program Files\HijackThis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmwdl.exe] C:\WINDOWS\system32\dmwdl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121610960486
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  1. Select Drive C: & click the 'OK' button
  2. Select the following options:
    • Temporary Internet Files
      [*] Recycle Bin
      [*] Temporary Files
  3. Click the 'OK' button


Then delete these files & you shall be clean again:

C:\WINDOWS\system32\dmehg.exe
C:\WINDOWS\system32\dmrpg.exe


Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:


  1. CLEAR & RESET SYSTEM RESTORE'S CACHE
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  4. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  5. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  6. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  7. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  8. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  9. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.


Please respond to this thread one more time so we can mark this thread as resolved.
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top