1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New Poly Win32 Problem

Discussion in 'Virus & Other Malware Removal' started by Moe83, Jan 4, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Moe83

    Moe83 Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    5
    HELP!!!!!!!!!!!!!!!!!!

    McAfee says a virus has been detected. The file C:\\WINDOWS\crnh.exe is infected by the New Poly Win32 virus and cannot be cleaned. I have run the virus control and it cannot quarantine, delete, or fix it.

    I've read similar posts and here is my log from Hijack:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:22:21 PM, on 1/4/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
    R3 - Default URLSearchHook is missing
    O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {19C15D9B-ED76-52EE-036B-5591AF55B4A5} - C:\WINDOWS\mfccl32.dll
    O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Class - {A7380E2D-065F-36BF-ACBE-56A6484317E0} - C:\WINDOWS\system32\sysls32.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O2 - BHO: Class - {BEB8A8DE-743E-9BF5-DBA7-230CFF21DEDA} - C:\WINDOWS\system32\javaur.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
    O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\Documents and Settings\Administrator\winfw.exe
    O4 - HKLM\..\Run: [REGRUN] C:\Documents and Settings\Administrator\reg.exe
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\RunServices: [Windows] run.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crnh.exe" /s (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    PLEASE HELP!!!!!!
    THANKS
     
  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Please download WebRoot SpySweeper (It's a 2 week trial):

    http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

    Click the Free Trial link under "Downloads/SpySweeper" to download the program.

    Install it. Once the program is installed, it will open.

    It will prompt you to update to the latest definitions, click Yes.
    Once the definitions are installed, click Options on the left side.
    Click the Sweep Options tab.

    Under What to Sweep please put a check next to the following:

    * Sweep Memory
    * Sweep Registry
    * Sweep Cookies
    * Sweep All User Accounts
    * Enable Direct Disk Sweeping
    * Sweep Contents of Compressed Files
    * Sweep for Rootkits

    Please UNCHECK Do not Sweep System Restore Folder.

    Click Sweep Now on the left side.

    Click the Start button.

    When it's done scanning, click the Next button.

    Make sure everything has a check next to it, then click the Next button.

    It will remove all of the items found.

    Click Session Log in the upper right corner, copy everything in that window.

    Click the Summary tab and click Finish.

    Perform an ActiveSCan:

    http://www.pandasoftware.com/activescan/

    Save the report to the desktop.

    Post a new HijackThis log and the results of the Spysweeper session log and ActiveScan reports. Also post a new Hijack This log.
     
  3. Moe83

    Moe83 Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    5
    Hi,

    Here are the logs and reports you requested:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:26:38 PM, on 1/4/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
    O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\Documents and Settings\Administrator\winfw.exe
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crnh.exe" /s (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    ********
    7:43 PM: | Start of Session, Wednesday, January 04, 2006 |
    7:43 PM: Spy Sweeper started
    7:43 PM: Sweep initiated using definitions version 596
    7:43 PM: Starting Memory Sweep
    7:43 PM: The Spy Communication shield has blocked access to: www.trackhits.cc
    7:43 PM: The Spy Communication shield has blocked access to: www.trackhits.cc
    7:44 PM: Found Adware: cws_ns3
    7:44 PM: Detected running threat: C:\WINDOWS\crnh.exe (ID = 8)
    7:45 PM: Found Adware: spysheriff fakealert
    7:45 PM: Detected running threat: C:\winstall.exe (ID = 216859)
    7:45 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run || Windows installer (ID = 0)
    7:45 PM: Detected running threat: C:\WINDOWS\mfccl32.dll (ID = 8)
    7:45 PM: Detected running threat: C:\WINDOWS\system32\sysls32.dll (ID = 8)
    7:45 PM: Detected running threat: C:\WINDOWS\system32\javaur.dll (ID = 8)
    7:45 PM: Memory Sweep Complete, Elapsed Time: 00:02:38
    7:45 PM: Starting Registry Sweep
    7:45 PM: Found Trojan Horse: autospy
    7:45 PM: HKLM\software\microsoft\windows\currentversion\runservices\ || windows (ID = 103882)
    7:45 PM: Found Trojan Horse: msn cookie trojan
    7:45 PM: HKLM\software\microsoft\windows\currentversion\runservices\ || windows (ID = 103882)
    7:45 PM: Found Trojan Horse: bf evolution
    7:45 PM: HKLM\software\microsoft\windows\currentversion\runservices\ || windows (ID = 103882)
    7:45 PM: Found Adware: coolwebsearch (cws)
    7:45 PM: HKCR\clsid\{3d1f3c37-49ca-66d3-9877-04375ade521d}\ (2 subtraces) (ID = 107211)
    7:45 PM: HKCR\clsid\{a1bd0d9e-655b-cb60-6f75-1dfc720aeab9}\ (2 subtraces) (ID = 107886)
    7:45 PM: HKLM\software\classes\clsid\{3d1f3c37-49ca-66d3-9877-04375ade521d}\ (2 subtraces) (ID = 108599)
    7:45 PM: HKLM\software\classes\clsid\{a1bd0d9e-655b-cb60-6f75-1dfc720aeab9}\ (2 subtraces) (ID = 109269)
    7:45 PM: Found Adware: cws-aboutblank
    7:45 PM: HKCR\clsid\{b38f516e-48f2-cdbb-7d76-e0cfbcdbee45}\ (2 subtraces) (ID = 113906)
    7:45 PM: HKCR\clsid\{0b4f9b2c-f81d-7c42-ae33-07f0fcb846ec}\ (2 subtraces) (ID = 117601)
    7:45 PM: HKCR\clsid\{07a70617-8d17-a480-a5cf-0fca3c65180d}\ (2 subtraces) (ID = 117684)
    7:45 PM: HKCR\clsid\{2b5a2313-ae67-454e-9a8b-f74070e57f1b}\ (2 subtraces) (ID = 117744)
    7:45 PM: HKCR\clsid\{7e2b347a-52aa-597f-9371-80822a8d1263}\ (2 subtraces) (ID = 117988)
    7:45 PM: HKCR\clsid\{8f60435f-df74-6308-e8cb-509d69906821}\ (2 subtraces) (ID = 118033)
    7:45 PM: HKCR\clsid\{15e6172a-5f7d-3085-1e94-14da8d1a4479}\ (2 subtraces) (ID = 118084)
    7:45 PM: HKCR\clsid\{30e36b0a-ca1d-18e7-7fd2-9ba91d4d1710}\ (2 subtraces) (ID = 118126)
    7:45 PM: HKCR\clsid\{69a88c5e-04e5-741d-6ca2-9cb5374eb263}\ (2 subtraces) (ID = 118242)
    7:45 PM: HKCR\clsid\{8007f30a-add5-7e61-d29c-8f166bc8a3dd}\ (2 subtraces) (ID = 118535)
    7:45 PM: HKCR\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 118649)
    7:45 PM: HKCR\clsid\{abff8236-dcbd-e17b-0a69-6fd85fa199fe}\ (2 subtraces) (ID = 118812)
    7:45 PM: HKCR\clsid\{bc0dc8bd-646d-fa46-8739-116b4f8b8228}\ (2 subtraces) (ID = 118909)
    7:45 PM: HKCR\clsid\{be5dcdbc-54d3-95ea-b258-2d53bd817431}\ (2 subtraces) (ID = 118926)
    7:45 PM: HKCR\clsid\{c2fe095e-5ba7-fbc8-5387-2878c932a44f}\ (2 subtraces) (ID = 118943)
    7:45 PM: HKCR\clsid\{c35c2f78-0e5e-f4aa-fd24-04cc74056392}\ (2 subtraces) (ID = 118983)
    7:45 PM: HKCR\clsid\{d063e7a9-f6b2-80f8-44b2-f8210fdedf67}\ (2 subtraces) (ID = 119085)
    7:45 PM: HKCR\clsid\{db054d56-eea3-c985-bedb-3e646a49fa44}\ (2 subtraces) (ID = 119155)
    7:45 PM: HKCR\clsid\{de064cf5-809e-a243-cc14-f5427e5967a1}\ (2 subtraces) (ID = 119183)
    7:45 PM: HKCR\clsid\{df7346f5-4eb1-7f19-9320-5e86cbcbda80}\ (2 subtraces) (ID = 119196)
    7:45 PM: HKCR\clsid\{ec6cc6a4-2de4-7d97-7906-9d8567369627}\ (2 subtraces) (ID = 119301)
    7:45 PM: HKCR\clsid\{fc92c3de-f786-c2a4-4565-359ecf140e14}\ (2 subtraces) (ID = 119436)
    7:45 PM: HKLM\software\classes\clsid\{0b4f9b2c-f81d-7c42-ae33-07f0fcb846ec}\ (2 subtraces) (ID = 119482)
    7:45 PM: HKLM\software\classes\clsid\{07a70617-8d17-a480-a5cf-0fca3c65180d}\ (2 subtraces) (ID = 119560)
    7:45 PM: HKLM\software\classes\clsid\{2b5a2313-ae67-454e-9a8b-f74070e57f1b}\ (2 subtraces) (ID = 119620)
    7:45 PM: HKLM\software\classes\clsid\{7e2b347a-52aa-597f-9371-80822a8d1263}\ (2 subtraces) (ID = 119863)
    7:45 PM: HKLM\software\classes\clsid\{8f60435f-df74-6308-e8cb-509d69906821}\ (2 subtraces) (ID = 119907)
    7:45 PM: HKLM\software\classes\clsid\{15e6172a-5f7d-3085-1e94-14da8d1a4479}\ (2 subtraces) (ID = 119956)
    7:45 PM: HKLM\software\classes\clsid\{30e36b0a-ca1d-18e7-7fd2-9ba91d4d1710}\ (2 subtraces) (ID = 119995)
    7:45 PM: HKLM\software\classes\clsid\{69a88c5e-04e5-741d-6ca2-9cb5374eb263}\ (2 subtraces) (ID = 120099)
    7:45 PM: HKLM\software\classes\clsid\{338e88e9-d821-1c15-a00d-907ab980e988}\ (2 subtraces) (ID = 120215)
    7:45 PM: HKLM\software\classes\clsid\{8007f30a-add5-7e61-d29c-8f166bc8a3dd}\ (2 subtraces) (ID = 120382)
    7:45 PM: HKLM\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 120496)
    7:45 PM: HKLM\software\classes\clsid\{abff8236-dcbd-e17b-0a69-6fd85fa199fe}\ (2 subtraces) (ID = 120651)
    7:45 PM: HKLM\software\classes\clsid\{bc0dc8bd-646d-fa46-8739-116b4f8b8228}\ (2 subtraces) (ID = 120746)
    7:45 PM: HKLM\software\classes\clsid\{be5dcdbc-54d3-95ea-b258-2d53bd817431}\ (2 subtraces) (ID = 120763)
    7:45 PM: HKLM\software\classes\clsid\{c35c2f78-0e5e-f4aa-fd24-04cc74056392}\ (2 subtraces) (ID = 120820)
    7:45 PM: HKLM\software\classes\clsid\{d063e7a9-f6b2-80f8-44b2-f8210fdedf67}\ (2 subtraces) (ID = 120921)
    7:45 PM: HKLM\software\classes\clsid\{db054d56-eea3-c985-bedb-3e646a49fa44}\ (2 subtraces) (ID = 120991)
    7:45 PM: HKLM\software\classes\clsid\{de064cf5-809e-a243-cc14-f5427e5967a1}\ (2 subtraces) (ID = 121020)
    7:45 PM: HKLM\software\classes\clsid\{df7346f5-4eb1-7f19-9320-5e86cbcbda80}\ (2 subtraces) (ID = 121031)
    7:45 PM: HKLM\software\classes\clsid\{ec6cc6a4-2de4-7d97-7906-9d8567369627}\ (2 subtraces) (ID = 121132)
    7:45 PM: HKLM\software\classes\clsid\{fc92c3de-f786-c2a4-4565-359ecf140e14}\ (2 subtraces) (ID = 121261)
    7:45 PM: Found Adware: cws_ns3 hijacker
    7:45 PM: HKLM\software\microsoft\internet explorer\main\ || default_search_url (ID = 123394)
    7:45 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 123395)
    7:45 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 123396)
    7:45 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 123399)
    7:45 PM: Found Adware: cws_tiny0
    7:45 PM: HKCR\clsid\{4a210c09-c3ae-d36c-3ec5-0d7723985463}\ (2 subtraces) (ID = 123837)
    7:45 PM: HKCR\clsid\{8d1df6ce-07e4-c211-83f6-537e054edc98}\ (2 subtraces) (ID = 123862)
    7:45 PM: HKCR\clsid\{67a0e5dd-d21d-3f1c-2fd5-07c50b27b4bd}\ (2 subtraces) (ID = 123889)
    7:45 PM: HKCR\clsid\{8424a742-21c5-e92b-d6a5-2b565d796258}\ (2 subtraces) (ID = 123936)
    7:45 PM: HKCR\clsid\{d3e61c7f-bd83-ea01-13f4-464c2595c096}\ (2 subtraces) (ID = 124005)
    7:45 PM: HKCR\clsid\{dc690906-09e2-710f-7c3b-f2f819b49b2a}\ (2 subtraces) (ID = 124017)
    7:45 PM: HKCR\clsid\{f80f0d50-2d6c-75c3-606a-3dfe0f4fc5d0}\ (2 subtraces) (ID = 124034)
    7:45 PM: HKCR\clsid\{fba372da-732c-2096-07db-aa0e71833d10}\ (2 subtraces) (ID = 124040)
    7:45 PM: HKLM\software\classes\clsid\{4a210c09-c3ae-d36c-3ec5-0d7723985463}\ (2 subtraces) (ID = 124071)
    7:45 PM: HKLM\software\classes\clsid\{8d1df6ce-07e4-c211-83f6-537e054edc98}\ (2 subtraces) (ID = 124096)
    7:45 PM: HKLM\software\classes\clsid\{67a0e5dd-d21d-3f1c-2fd5-07c50b27b4bd}\ (2 subtraces) (ID = 124121)
    7:45 PM: HKLM\software\classes\clsid\{8424a742-21c5-e92b-d6a5-2b565d796258}\ (2 subtraces) (ID = 124164)
    7:45 PM: HKLM\software\classes\clsid\{dc690906-09e2-710f-7c3b-f2f819b49b2a}\ (2 subtraces) (ID = 124246)
    7:45 PM: HKLM\software\classes\clsid\{f80f0d50-2d6c-75c3-606a-3dfe0f4fc5d0}\ (2 subtraces) (ID = 124262)
    7:45 PM: HKLM\software\classes\clsid\{fba372da-732c-2096-07db-aa0e71833d10}\ (2 subtraces) (ID = 124267)
    7:45 PM: Found Adware: internetoptimizer
    7:45 PM: HKLM\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 128912)
    7:45 PM: Found Adware: purityscan
    7:45 PM: HKLM\software\microsoft\windows\currentversion\run\ || regrun (ID = 139064)
    7:45 PM: Found Adware: spysheriff
    7:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\spysheriff\ (5 subtraces) (ID = 142124)
    7:45 PM: Found Adware: winad
    7:45 PM: HKCR\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147155)
    7:45 PM: HKCR\mediaaccx.installer\ (3 subtraces) (ID = 147158)
    7:45 PM: HKLM\software\classes\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147169)
    7:45 PM: HKLM\software\classes\mediaaccx.installer\ (3 subtraces) (ID = 147172)
    7:45 PM: HKLM\software\media access\ (7 subtraces) (ID = 147182)
    7:45 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (10 subtraces) (ID = 147185)
    7:45 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
    7:45 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
    7:46 PM: HKCR\clsid\{9adc5b7c-f0fa-a733-e146-85ce8933dc68}\ (2 subtraces) (ID = 980881)
    7:46 PM: HKLM\software\classes\clsid\{9adc5b7c-f0fa-a733-e146-85ce8933dc68}\ (2 subtraces) (ID = 980889)
    7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\microsoft\internet explorer\main\ || search bar (ID = 123390)
    7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\microsoft\internet explorer\main\ || search page (ID = 123391)
    7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\microsoft\internet explorer\search\ || searchassistant (ID = 123398)
    7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\spysheriff\ (30 subtraces) (ID = 142125)
    7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\sno2\ (ID = 782236)
    7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\microsoft\windows\currentversion\run\ || windows installer (ID = 1088024)
    7:46 PM: Registry Sweep Complete, Elapsed Time:00:00:23
    7:46 PM: Starting Cookie Sweep
    7:46 PM: Found Spy Cookie: 247realmedia cookie
    7:46 PM: [email protected][1].txt (ID = 1953)
    7:46 PM: Found Spy Cookie: about cookie
    7:46 PM: [email protected][2].txt (ID = 2037)
    7:46 PM: Found Spy Cookie: yieldmanager cookie
    7:46 PM: [email protected][2].txt (ID = 3751)
    7:46 PM: Found Spy Cookie: adknowledge cookie
    7:46 PM: [email protected][2].txt (ID = 2072)
    7:46 PM: Found Spy Cookie: hbmediapro cookie
    7:46 PM: [email protected][2].txt (ID = 2768)
    7:46 PM: Found Spy Cookie: precisead cookie
    7:46 PM: [email protected][2].txt (ID = 3182)
    7:46 PM: Found Spy Cookie: specificclick.com cookie
    7:46 PM: [email protected][2].txt (ID = 3400)
    7:46 PM: Found Spy Cookie: addynamix cookie
    7:46 PM: [email protected][1].txt (ID = 2062)
    7:46 PM: Found Spy Cookie: pointroll cookie
    7:46 PM: [email protected][1].txt (ID = 3148)
    7:46 PM: Found Spy Cookie: atlas dmt cookie
    7:46 PM: [email protected][2].txt (ID = 2253)
    7:46 PM: Found Spy Cookie: belnk cookie
    7:46 PM: [email protected][1].txt (ID = 2293)
    7:46 PM: Found Spy Cookie: atwola cookie
    7:46 PM: [email protected][1].txt (ID = 2255)
    7:46 PM: Found Spy Cookie: azjmp cookie
    7:46 PM: [email protected][2].txt (ID = 2270)
    7:46 PM: [email protected][2].txt (ID = 2292)
    7:46 PM: Found Spy Cookie: bs.serving-sys cookie
    7:46 PM: [email protected][1].txt (ID = 2330)
    7:46 PM: Found Spy Cookie: gostats cookie
    7:46 PM: [email protected][2].txt (ID = 2748)
    7:46 PM: Found Spy Cookie: clickzs cookie
    7:46 PM: [email protected][1].txt (ID = 2413)
    7:46 PM: Found Spy Cookie: did-it cookie
    7:46 PM: [email protected][2].txt (ID = 2523)
    7:46 PM: [email protected][1].txt (ID = 2293)
    7:46 PM: Found Spy Cookie: kinghost cookie
    7:46 PM: [email protected][1].txt (ID = 2903)
    7:46 PM: Found Spy Cookie: go.com cookie
    7:46 PM: [email protected][1].txt (ID = 2729)
    7:46 PM: Found Spy Cookie: 2o7.net cookie
    7:46 PM: [email protected][1].txt (ID = 1958)
    7:46 PM: [email protected][1].txt (ID = 1958)
    7:46 PM: Found Spy Cookie: touchclarity cookie
    7:46 PM: [email protected][1].txt (ID = 3567)
    7:46 PM: Found Spy Cookie: partypoker cookie
    7:46 PM: [email protected][1].txt (ID = 3111)
    7:46 PM: Found Spy Cookie: rc cookie
    7:46 PM: [email protected][1].txt (ID = 3231)
    7:46 PM: Found Spy Cookie: valuead cookie
    7:46 PM: [email protected][2].txt (ID = 3627)
    7:46 PM: Found Spy Cookie: adjuggler cookie
    7:46 PM: [email protected][1].txt (ID = 2071)
    7:46 PM: Found Spy Cookie: serving-sys cookie
    7:46 PM: [email protected][2].txt (ID = 3343)
    7:46 PM: Found Spy Cookie: starware.com cookie
    7:46 PM: [email protected][2].txt (ID = 3441)
    7:46 PM: Found Spy Cookie: trafficmp cookie
    7:46 PM: [email protected][2].txt (ID = 3581)
    7:46 PM: [email protected][2].txt (ID = 2038)
    7:46 PM: Found Spy Cookie: screensavers.com cookie
    7:46 PM: [email protected][2].txt (ID = 3298)
    7:46 PM: Found Spy Cookie: xiti cookie
    7:46 PM: [email protected][1].txt (ID = 3717)
    7:46 PM: Found Spy Cookie: yadro cookie
    7:46 PM: [email protected][2].txt (ID = 3743)
    7:46 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
    7:46 PM: Starting File Sweep
    7:46 PM: c:\program files\spysheriff (15 subtraces) (ID = -2147476679)
    7:46 PM: 6.tmp (ID = 214375)
    7:46 PM: 7.tmp (ID = 214375)
    7:46 PM: a0013890.exe (ID = 90386)
    7:46 PM: Found Adware: security iguard
    7:46 PM: chmhelp.chm (ID = 75238)
    7:47 PM: 5.tmp (ID = 214375)
    7:47 PM: installer.exe (ID = 73121)
    7:47 PM: desktop.html (ID = 178574)
    7:48 PM: ntla.exe (ID = 200)
    7:48 PM: winstall.exe (ID = 216859)
    7:48 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run || Windows installer (ID = 0)
    7:48 PM: procmon.dll (ID = 198830)
    7:49 PM: a0013883.exe (ID = 90400)
    7:49 PM: msmn.exe (ID = 200)
    7:49 PM: a0013876.exe (ID = 64092)
    7:49 PM: Found Adware: 180search assistant/zango
    7:49 PM: npzango.dll (ID = 91102)
    7:49 PM: a0013891.exe (ID = 90400)
    7:49 PM: a0042213.exe (ID = 204)
    7:50 PM: ippl.exe (ID = 204)
    7:50 PM: Found Adware: pc adprotector desktop hijacker
    7:50 PM: 1e.tmp.exe (ID = 162680)
    7:51 PM: crlb32.exe (ID = 200)
    7:51 PM: a0045278.exe (ID = 200)
    7:53 PM: a0013889.dll (ID = 90373)
    7:53 PM: a0044276.ini:qmrjww (ID = 216849)
    7:56 PM: Found Adware: shopathomeselect
    7:56 PM: gah95on6.ini (ID = 75741)
    7:56 PM: mediaaccx.dll (ID = 90412)
    7:56 PM: pzmpf.dll (ID = 216849)
    7:56 PM: crkxi.dll (ID = 216849)
    7:57 PM: uninstall.exe (ID = 198832)
    7:58 PM: ntbq.exe (ID = 204)
    7:58 PM: iesecurity.dll (ID = 198829)
    7:58 PM: nthp.exe (ID = 200)
    7:58 PM: a0045293.ini:qmrjww (ID = 216849)
    7:58 PM: sdkce.exe (ID = 200)
    7:58 PM: appgb32.exe (ID = 200)
    7:58 PM: a0042226.dll (ID = 216849)
    7:58 PM: iemw32.exe (ID = 204)
    7:59 PM: crnh.exe (ID = 204)
    7:59 PM: ipeq32.exe (ID = 200)
    7:59 PM: ntnv.exe (ID = 200)
    7:59 PM: atlrr.exe (ID = 200)
    7:59 PM: sdkil.exe (ID = 200)
    7:59 PM: addzj32.exe (ID = 200)
    7:59 PM: a0043276.ini:qmrjww (ID = 216849)
    7:59 PM: atlpy.exe (ID = 200)
    7:59 PM: a0045276.ini:qmrjww (ID = 216849)
    7:59 PM: a0042214.exe (ID = 200)
    7:59 PM: heur003.dll (ID = 198828)
    7:59 PM: base.avd (ID = 190097)
    7:59 PM: netel32.exe (ID = 200)
    7:59 PM: a0045344.ini:qmrjww (ID = 216849)
    7:59 PM: heur001.dll (ID = 198826)
    8:00 PM: meqpc.dll (ID = 216849)
    8:00 PM: spysheriff.exe (ID = 198831)
    8:00 PM: dellstat.ini:qmrjww (ID = 216849)
    8:00 PM: heur002.dll (ID = 198827)
    8:00 PM: ipmf32.exe (ID = 200)
    8:00 PM: a0045316.ini:qmrjww (ID = 216849)
    8:01 PM: heur000.dll (ID = 198825)
    8:01 PM: salmau.dat (ID = 93788)
    8:01 PM: search the web.url (ID = 54454)
    8:01 PM: a0013841.ini (ID = 75852)
    8:01 PM: bln02nqv.ini (ID = 75683)
    8:01 PM: 70tovmto.ini (ID = 75621)
    8:01 PM: a0013842.ini (ID = 75631)
    8:01 PM: only sex website.url (ID = 54373)
    8:01 PM: seven days of free porn.url (ID = 54472)
    8:01 PM: credit counseling.url (ID = 130668)
    8:01 PM: insurance home.url (ID = 130676)
    8:01 PM: mortgage life insurance.url (ID = 130681)
    8:01 PM: help desk software.url (ID = 130675)
    8:01 PM: ab scissor.url (ID = 130666)
    8:01 PM: videos.url (ID = 130694)
    8:01 PM: what is hydrocodone.url (ID = 130695)
    8:01 PM: online gambling casino.url (ID = 130684)
    8:01 PM: refinancing my mortgage.url (ID = 130691)
    8:01 PM: debt credit card.url (ID = 130671)
    8:01 PM: fha.url (ID = 130673)
    8:01 PM: loan for debt consolidation.url (ID = 130677)
    8:01 PM: health insurance.url (ID = 130674)
    8:01 PM: personal loans online.url (ID = 130688)
    8:01 PM: payroll advance.url (ID = 130687)
    8:01 PM: marketing email.url (ID = 130679)
    8:01 PM: prescription drugs rx online.url (ID = 130690)
    8:01 PM: credit report.url (ID = 130669)
    8:01 PM: tahoe vacation rental.url (ID = 130692)
    8:01 PM: escorts.url (ID = 130672)
    8:01 PM: order phentermine.url (ID = 130686)
    8:01 PM: mortgage insurance.url (ID = 130680)
    8:01 PM: personal loans with bad credit.url (ID = 130689)
    8:01 PM: crm software.url (ID = 130670)
    8:01 PM: nevada corporations.url (ID = 130682)
    8:01 PM: unsecured bad credit loans.url (ID = 130693)
    8:01 PM: loan for people with bad credit.url (ID = 130678)
    8:01 PM: broadband comparison.url (ID = 130667)
    8:01 PM: online betting site.url (ID = 130683)
    8:01 PM: online instant loan.url (ID = 130685)
    8:01 PM: a0042131.lnk (ID = 198831)
    8:01 PM: a0042126.lnk (ID = 198831)
    8:02 PM: File Sweep Complete, Elapsed Time: 00:15:56
    8:02 PM: Full Sweep has completed. Elapsed time 00:19:04
    8:02 PM: Traces Found: 439
    8:04 PM: Removal process initiated
    8:05 PM: Quarantining All Traces: 180search assistant/zango
    8:05 PM: Quarantining All Traces: cws_ns3
    8:05 PM: cws_ns3 is in use. It will be removed on reboot.
    8:05 PM: C:\WINDOWS\crnh.exe is in use. It will be removed on reboot.
    8:05 PM: C:\WINDOWS\mfccl32.dll is in use. It will be removed on reboot.
    8:05 PM: C:\WINDOWS\system32\sysls32.dll is in use. It will be removed on reboot.
    8:05 PM: C:\WINDOWS\system32\javaur.dll is in use. It will be removed on reboot.
    8:05 PM: Quarantining All Traces: cws-aboutblank
    8:05 PM: Quarantining All Traces: purityscan
    8:05 PM: purityscan is in use. It will be removed on reboot.
    8:05 PM: installer.exe is in use. It will be removed on reboot.
    8:05 PM: Quarantining All Traces: spysheriff
    8:05 PM: Quarantining All Traces: autospy
    8:05 PM: Quarantining All Traces: bf evolution
    8:05 PM: Quarantining All Traces: coolwebsearch (cws)
    8:05 PM: Quarantining All Traces: cws_tiny0
    8:05 PM: cws_tiny0 is in use. It will be removed on reboot.
    8:05 PM: crlb32.exe is in use. It will be removed on reboot.
    8:05 PM: Quarantining All Traces: internetoptimizer
    8:05 PM: Quarantining All Traces: msn cookie trojan
    8:05 PM: Quarantining All Traces: winad
    8:05 PM: Quarantining All Traces: cws_ns3 hijacker
    8:05 PM: Quarantining All Traces: pc adprotector desktop hijacker
    8:05 PM: Quarantining All Traces: security iguard
    8:05 PM: Quarantining All Traces: shopathomeselect
    8:05 PM: Quarantining All Traces: spysheriff fakealert
    8:05 PM: spysheriff fakealert is in use. It will be removed on reboot.
    8:05 PM: winstall.exe is in use. It will be removed on reboot.
    8:05 PM: Quarantining All Traces: 247realmedia cookie
    8:05 PM: Quarantining All Traces: 2o7.net cookie
    8:05 PM: Quarantining All Traces: about cookie
    8:05 PM: Quarantining All Traces: addynamix cookie
    8:05 PM: Quarantining All Traces: adjuggler cookie
    8:05 PM: Quarantining All Traces: adknowledge cookie
    8:06 PM: Quarantining All Traces: atlas dmt cookie
    8:06 PM: Quarantining All Traces: atwola cookie
    8:06 PM: Quarantining All Traces: azjmp cookie
    8:06 PM: Quarantining All Traces: belnk cookie
    8:06 PM: Quarantining All Traces: bs.serving-sys cookie
    8:06 PM: Quarantining All Traces: clickzs cookie
    8:06 PM: Quarantining All Traces: did-it cookie
    8:06 PM: Quarantining All Traces: go.com cookie
    8:06 PM: Quarantining All Traces: gostats cookie
    8:06 PM: Quarantining All Traces: hbmediapro cookie
    8:06 PM: Quarantining All Traces: kinghost cookie
    8:06 PM: Quarantining All Traces: partypoker cookie
    8:06 PM: Quarantining All Traces: pointroll cookie
    8:06 PM: Quarantining All Traces: precisead cookie
    8:06 PM: Quarantining All Traces: rc cookie
    8:06 PM: Quarantining All Traces: screensavers.com cookie
    8:06 PM: Quarantining All Traces: serving-sys cookie
    8:06 PM: Quarantining All Traces: specificclick.com cookie
    8:06 PM: Quarantining All Traces: starware.com cookie
    8:06 PM: Quarantining All Traces: touchclarity cookie
    8:06 PM: Quarantining All Traces: trafficmp cookie
    8:06 PM: Quarantining All Traces: valuead cookie
    8:06 PM: Quarantining All Traces: xiti cookie
    8:06 PM: Quarantining All Traces: yadro cookie
    8:06 PM: Quarantining All Traces: yieldmanager cookie
    8:10 PM: Preparing to restart your computer. Please wait...
    8:10 PM: Removal process completed. Elapsed time 00:05:38
    ********
    7:40 PM: | Start of Session, Wednesday, January 04, 2006 |
    7:40 PM: Spy Sweeper started
    7:40 PM: Your spyware definitions have been updated.
    7:41 PM: Warning: Failed to load image: C:\WINDOWS\CRNH.EXE
    7:43 PM: | End of Session, Wednesday, January 04, 2006 |

    These scans are helping.
    Thanks
     
  4. Moe83

    Moe83 Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    5
    Hi,

    I'm unable to paste the ActiveScan reports because the text is too long. Not sure what to do?
     
  5. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José

    Click on Post a reply and attach the file.

    Remove the following from your installed programs if these exists:

    PartyPoker
    Imesh


    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find:

    Network Security Service

    Right click and choose "Properties".

    On the "General" tab under "Service Status" click the "Stop" button to stop the service.

    Beside "Startup Type" in the dropdown menu select "Disabled".

    Click Apply then OK.

    Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service.
    If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

    In Hijack This, click on the "Open Misc Tools section" button.
    Next click the "Delete an NT service" button.
    Copy and paste the following in that box:

    11Fßä#·ºÄÖ`I

    (It may ot be recognized, but try)

    Click OK.

    Reboot

    Run Hijackthis. Place a checkmark on the following lines and click on Fix Checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
    O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
    O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
    O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\Documents and Settings\Administrator\winfw.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

    Boot the computer in Safe mode. Find and Delete the following files and folders:


    C:\Program Files\iMesh
    C:\Documents and Settings\Administrator\winfw.exe
    C:\Program Files\PartyPoker

    Post back witha fresh Hijackthis log and attach the ActiveSCan report.
     
  6. Moe83

    Moe83 Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    5
    New HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:03:30 PM, on 1/5/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     

    Attached Files:

  7. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Remove Spyfighter from your installed programs as it is considered a bogus program.


    Boot in Safe Mode.

    Delete the follloding folder:

    C:\Program Files\SpyFighter

    Delete the following files:

    C:\WINDOWS\system32\mscb.exe
    C:\WINDOWS\sdkad32.exe
    C:\Documents and Settings\Administrator\reg.exe

    C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8pyfs3wo.default\cookies.txt

    Clear this Folder from any files and folders:

    C:\Documents and Settings\Administrator\Cookies

    How is the computer doing?
     
  8. Moe83

    Moe83 Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    5
    Hi,

    The computer is running a lot better thanks to you....thank you. I deleted Party Poker and Spy Fighter from my computer but when I go to Add/Remove Programs in the Control Panel they are still showing up and I can't get rid of them??????

    Also, I'm unable to change the background on my desktop and occasionally at night when I go to turn my computer off it won't shut down????

    Other than that the computer is clear of any viruses or spyware.
     
  9. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    You can remove those entries from the registry:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;310750&Product=winxp

    I do not understand what you are saying above, but just in case is due to a hijacker, lets try this:

    Click here to download smitRem.exe:

    http://noahdfear.geekstogo.com/click counter/click.php?id=1

    *Save the file to your desktop.
    *It is a self extracting file.
    *Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
    *Do not do anything with it yet. You will run the RunThis.bat file later in safe mode

    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

    * Restart your computer into safe mode now.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Perform the following steps in safe mode:

    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

    Wait for the tool to complete and disk cleanup to finish.

    * Go to Control Panel > Internet Options. Click on the Programs tab, then click the "Reset Web Settings" button. Click Apply then OK.

    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

    * Restart back into Windows normally now.

    Download Luna.zip:

    http://castlecops.com/zx/flrman1/luna.zip

    Download it and unzip it to extract the luna.msstyles file
    it contains. Copy the luna.msstyles file to the C:\WINDOWS\Resources\Themes\Luna folder.

    Restart your machine and go to Display Properties and you should be able to choose the XP theme again.

    Keep me posted!
     
  10. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    I just realized that your system is not patched. You must obtain the latest Windows Updates.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/431147

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice