Not sure what this is...

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

SpharX

Thread Starter
Joined
Dec 25, 2005
Messages
24
I have some weird trojan, when I had Norton Antivirus installed, it brought like dozens of popups on my screen saying 'Scanning Message.' I think it was sending spam mail from my computer and winlogon.exe's CPU usage was constantly around 90%, it slowed down my PC a lot. I uninstalled NAV and got AVG, I also scanned for spyware with Ad-Aware, Spybot and Xoftspy, they also detected VX2. But right now the winlogon.exe's CPU usage hops from 0% to 99% every like 30 seconds or so and freezes everything for about 10 seconds, it's really annoying. I ran L2mfix and Hijack This, I've included the logs. I hope you guys can help!

( Oh, my PC is probably full of crap, but please, bare with me. :eek: )

L2MFIX

L2MFIX find log 121605
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll]
"DllName"="C:\\WINDOWS\\System32\\msctl32.dll"
"Startup"="Startup"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice Property Sheet Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}"="Mobile"
"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}"="Mobile ContextMenuHandler"
"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}"="Mobile PropertySheetHandler"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
One or more CON code pages invalid for given keyboard code

C:\WINDOWS\SYSTEM32\
msctl32.dll Fri Dec 23 2005 12:39:56p A.... 42,496 41.50 K
s32evnt1.dll Thu Dec 1 2005 12:14:20p A.... 86,091 84.07 K
sirenacm.dll Thu Oct 13 2005 2:11:06a A.... 118,784 116.00 K
zlbw.dll Fri Dec 23 2005 12:40:24p A.... 46,592 45.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 293,963 bytes 287.07 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Local Disk
Volume Serial Number is 60F1-3B17

Directory of C:\WINDOWS\System32

23.12.2005 21:25 <DIR> dllcache
27.11.2003 22:49 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 2ÿ386ÿ710ÿ528 bytes free

Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 23:22:18, on 25.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
D:\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp5\winamp.exe
F:\rauno\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BagsTypeInfo - {885BD150-E7D4-6376-FE75-EFD64FC4771B} - C:\PROGRA~1\THIRDB~1\Traytrust.dll (file missing)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Logo Rule Proxy - {337E8A26-6D92-88A7-65C3-7AD08A9C5A34} - C:\PROGRA~1\THIRDB~1\Traytrust.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [msie] msie.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [msie] msie.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Shortcut to ovktest.lnk = F:\rauno\ovktest\ovktest.exe
O4 - Startup: Shortcut to YzDock.lnk = C:\Program Files\yz_dck0083\YzDock.exe
O4 - Startup: speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9733.dll' missing
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122751540359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Thanks, in advance!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:

    • [*]Sweep Memory
      [*]Sweep Registry
      [*]Sweep Cookies
      [*]Sweep All User Accounts
      [*]Enable Direct Disk Sweeping
      [*]Sweep Contents of Compressed Files
      [*]Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
 

SpharX

Thread Starter
Joined
Dec 25, 2005
Messages
24
Ok, this might sound weird, but when it finished the scan, I selected all of them and clicked delete, my computer started slowing down a lot until nothing worked, explorer.exe crashed, i could not bring up the task manager, IE and SpySweeper froze, only MSN, Winamp and my mouse responded. I waited a good half an hour for it to come back until I pressed the Reset button. Should I re-scan?

Thanks for your help!
 

SpharX

Thread Starter
Joined
Dec 25, 2005
Messages
24
Oh, looks like it still saved a log file and left some files in the Quarantine.

The log is as follows:

********
23:34: | Start of Session, 25. detsember 2005. a. |
23:34: Spy Sweeper started
23:34: Sweep initiated using definitions version 589
23:34: Found Trojan Horse: trojan-downloader-hochladen
23:34: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\msctl32.dll\ || dllname (ID = 1042376)
23:34: msctl32.dll (ID = 1042376)
23:34: Starting Memory Sweep
23:39: Memory Sweep Complete, Elapsed Time: 00:05:01
23:39: Starting Registry Sweep
23:39: Found Adware: adlogix
23:39: HKCR\interface\{2bdb4da9-94fe-4034-aac5-ceecdcb3a33b}\ (8 subtraces) (ID = 102893)
23:39: HKCR\interface\{4d8e41a8-ec1f-4c53-a10d-9120232c71bb}\ (8 subtraces) (ID = 102894)
23:39: HKLM\software\classes\interface\{2bdb4da9-94fe-4034-aac5-ceecdcb3a33b}\ (8 subtraces) (ID = 103008)
23:39: HKLM\software\classes\interface\{4d8e41a8-ec1f-4c53-a10d-9120232c71bb}\ (8 subtraces) (ID = 103009)
23:39: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/test.ocx\ (2 subtraces) (ID = 103108)
23:39: Found Adware: exact cashback/bargain buddy
23:39: HKLM\system\currentcontrolset\services\isexeng\ (12 subtraces) (ID = 104034)
23:39: Found Adware: blazefind
23:39: HKLM\software\microsoft\windows\currentversion\uninstall\windows sr 2.0\ (4 subtraces) (ID = 104552)
23:39: Found Adware: radlight divx player
23:39: HKCR\radlightfile\ (5 subtraces) (ID = 139212)
23:39: HKLM\software\classes\radlightfile\ (5 subtraces) (ID = 139215)
23:39: Found Adware: directrevenue-abetterinternet
23:39: HKLM\software\microsoft\windows\currentversion\uninstall\dbi\ (2 subtraces) (ID = 146119)
23:39: Found Adware: cws_secure32.html hijack
23:39: HKLM\software\microsoft\internet explorer\main\ || local page (ID = 946024)
23:39: HKLM\software\microsoft\internet explorer\main\ || default_page_url (ID = 946027)
23:39: Found Adware: multidial
23:39: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mfc42.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956093)
23:39: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/msvcrt.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956095)
23:39: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/olepro32.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956097)
23:39: Found Adware: dollarrevenue
23:39: HKLM\software\microsoft\windows\currentversion\run\ || timessquare (ID = 1004206)
23:39: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\msctl32.dll\ (4 subtraces) (ID = 1021403)
23:39: Found Adware: adtech
23:39: HKLM\software\microsoft\windows\currentversion\run\ || adtech2006 (ID = 1036654)
23:39: Found Adware: internetoptimizer
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-501\software\avenue media\ (8 subtraces) (ID = 128887)
23:39: Found Adware: 180search assistant/zango
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-501\software\180solutions\ (9 subtraces) (ID = 135617)
23:39: Found Adware: netpal
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-501\software\destiny\ (7 subtraces) (ID = 135910)
23:39: Found Adware: sidesearch
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-501\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1005\software\avenue media\ (3 subtraces) (ID = 128887)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1005\software\180solutions\ (10 subtraces) (ID = 135617)
23:39: Found Adware: ebates money maker
23:39: HKU\S-1-5-21-1482476501-2111687655-854245398-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
23:39: Found Adware: ist sidefind
23:39: HKU\S-1-5-21-1482476501-2111687655-854245398-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
23:39: Found Trojan Horse: trojan-backdoor-securemulti
23:39: HKU\S-1-5-21-1482476501-2111687655-854245398-1004\software\microsoft\windows\currentversion\run\ || aupd (ID = 743915)
23:39: HKU\S-1-5-21-1482476501-2111687655-854245398-1004\software\microsoft\windows\currentversion\run\ || aupd (ID = 766565)
23:39: HKU\S-1-5-21-1482476501-2111687655-854245398-1004\software\microsoft\internet explorer\main\ || local page (ID = 946022)
23:39: HKU\S-1-5-21-1482476501-2111687655-854245398-1004\software\microsoft\internet explorer\main\ || default_page_url (ID = 946026)
23:39: Found Trojan Horse: trojan-backdoor-zubox
23:39: HKU\S-1-5-21-1482476501-2111687655-854245398-1004\software\microsoft\windows\currentversion\policies\explorer\run\ || 1 (ID = 1059346)
23:39: Found Adware: couldnotfind.com hijack
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\internet explorer\main\ || search page (ID = 105310)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\internet explorer\main\ || search bar (ID = 105311)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\internet explorer\search\ || searchassistant (ID = 105312)
23:39: Found Adware: clocksync
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\whenu\clocksync\ (16 subtraces) (ID = 106140)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\windows\currentversion\run\ || clocksync (ID = 106141)
23:39: Found Adware: cws-aboutblank
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
23:39: Found Adware: ist software
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {5f1abcdb-a875-46c1-8345-b72a4567e486} (ID = 127195)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\avenue media\ (ID = 128887)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\ist\ (2 subtraces) (ID = 129108)
23:39: Found Adware: ist istbar
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\istbar\ (ID = 129109)
23:39: Found Adware: whenu
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\whenu\ (17 subtraces) (ID = 140455)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
23:39: Found Adware: mindset interactive - favoriteman
23:39: HKU\WRSS_Profile_S-1-5-21-1482476501-2111687655-854245398-1003\software\microsoft\windows\ || server (ID = 1025299)
23:39: Registry Sweep Complete, Elapsed Time:00:00:28
23:39: Starting Cookie Sweep
23:39: Found Spy Cookie: 2o7.net cookie
23:39: guest@112.2o7[2].txt (ID = 1958)
23:39: guest@2o7[1].txt (ID = 1957)
23:39: Found Spy Cookie: 3 cookie
23:39: guest@3[1].txt (ID = 1959)
23:39: Found Spy Cookie: 888 cookie
23:39: guest@888[2].txt (ID = 2019)
23:39: Found Spy Cookie: bannerbank cookie
23:39: guest@ad6.bannerbank[1].txt (ID = 2281)
23:39: Found Spy Cookie: gorillanation cookie
23:39: guest@ads.gorillanation[1].txt (ID = 2744)
23:39: Found Spy Cookie: ads.rampidads.com cookie
23:39: guest@ads.rampidads[2].txt (ID = 2125)
23:39: Found Spy Cookie: adtech cookie
23:39: guest@adtech[2].txt (ID = 2155)
23:39: Found Spy Cookie: advertising cookie
23:39: guest@advertising[1].txt (ID = 2175)
23:39: Found Spy Cookie: falkag cookie
23:39: guest@as-eu.falkag[1].txt (ID = 2650)
23:39: guest@as1.falkag[1].txt (ID = 2650)
23:39: Found Spy Cookie: atlas dmt cookie
23:39: guest@atdmt[2].txt (ID = 2253)
23:39: Found Spy Cookie: lopdotcom cookie
23:39: guest@ayb.lop[1].txt (ID = 2934)
23:39: Found Spy Cookie: 180solutions cookie
23:39: guest@bis.180solutions[2].txt (ID = 1929)
23:39: guest@bisads.180solutions[1].txt (ID = 1931)
23:39: Found Spy Cookie: zedo cookie
23:39: guest@c2.zedo[1].txt (ID = 3763)
23:39: Found Spy Cookie: centrport net cookie
23:39: guest@centrport[1].txt (ID = 2374)
23:39: Found Spy Cookie: cnt cookie
23:39: guest@cnt[1].txt (ID = 2422)
23:39: Found Spy Cookie: dbbsrv cookie
23:39: guest@dbbsrv[1].txt (ID = 2499)
23:39: Found Spy Cookie: teensearchbar cookie
23:39: guest@exits.teensearchbar[2].txt (ID = 3508)
23:39: Found Spy Cookie: gator cookie
23:39: guest@gator[1].txt (ID = 2722)
23:39: Found Spy Cookie: goclick cookie
23:39: guest@goclick[1].txt (ID = 2732)
23:39: Found Spy Cookie: go.com cookie
23:39: guest@go[1].txt (ID = 2728)
23:39: Found Spy Cookie: hitmgt cookie
23:39: guest@hitmgt[1].txt (ID = 2787)
23:39: Found Spy Cookie: hotlog cookie
23:39: guest@hotlog[2].txt (ID = 2801)
23:39: Found Spy Cookie: kinghost cookie
23:39: guest@kinghost[2].txt (ID = 2903)
23:39: guest@lop[2].txt (ID = 2936)
23:39: Found Spy Cookie: offeroptimizer cookie
23:39: guest@offeroptimizer[2].txt (ID = 3087)
23:39: Found Spy Cookie: overture cookie
23:39: guest@overture[1].txt (ID = 3105)
23:39: Found Spy Cookie: paycounter cookie
23:39: guest@paycounter[1].txt (ID = 3115)
23:39: Found Spy Cookie: wegcash cookie
23:39: guest@programs.wegcash[2].txt (ID = 3682)
23:39: Found Spy Cookie: qksrv cookie
23:39: guest@qksrv[1].txt (ID = 3213)
23:39: Found Spy Cookie: questionmarket cookie
23:39: guest@questionmarket[2].txt (ID = 3217)
23:39: guest@red01.as-eu.falkag[1].txt (ID = 2650)
23:39: Found Spy Cookie: revenue.net cookie
23:39: guest@revenue[2].txt (ID = 3257)
23:39: Found Spy Cookie: servedby advertising cookie
23:39: guest@servedby.advertising[1].txt (ID = 3335)
23:39: Found Spy Cookie: sexlist cookie
23:39: guest@sexlist[1].txt (ID = 3353)
23:39: guest@sextracker[1].txt (ID = 3361)
23:39: guest@soccernet.espn.go[2].txt (ID = 2729)
23:39: Found Spy Cookie: spylog cookie
23:39: guest@spylog[2].txt (ID = 3415)
23:39: Found Spy Cookie: webtrendslive cookie
23:39: guest@statse.webtrendslive[2].txt (ID = 3667)
23:39: Found Spy Cookie: targetnet cookie
23:39: guest@targetnet[2].txt (ID = 3489)
23:39: Found Spy Cookie: tickle cookie
23:39: guest@tickle[1].txt (ID = 3529)
23:39: Found Spy Cookie: toplist cookie
23:39: guest@toplist[1].txt (ID = 3557)
23:39: Found Spy Cookie: tradedoubler cookie
23:39: guest@tradedoubler[1].txt (ID = 3575)
23:39: Found Spy Cookie: tripod cookie
23:39: guest@tripod[2].txt (ID = 3591)
23:39: Found Spy Cookie: freemoviesanddownloads cookie
23:39: guest@www.freemoviesanddownloads[2].txt (ID = 2701)
23:39: Found Spy Cookie: naughtyplayer cookie
23:39: guest@www.naughtyplayer[2].txt (ID = 3058)
23:39: guest@www.teensearchbar[2].txt (ID = 3508)
23:39: Found Spy Cookie: paypopup cookie
23:39: guest@www1.paypopup[1].txt (ID = 3120)
23:39: guest@www4.paypopup[1].txt (ID = 3120)
23:39: guest@xadso.offeroptimizer[2].txt (ID = 3088)
23:39: Found Spy Cookie: xiti cookie
23:39: guest@xiti[1].txt (ID = 3717)
23:39: Found Spy Cookie: adserver cookie
23:39: guest@z1.adserver[1].txt (ID = 2142)
23:39: guest@zedo[2].txt (ID = 3762)
23:39: administrator@atdmt[1].txt (ID = 2253)
23:39: Found Spy Cookie: yieldmanager cookie
23:39: rauno@ad.yieldmanager[1].txt (ID = 3751)
23:39: Found Spy Cookie: banner cookie
23:39: rauno@banner[1].txt (ID = 2276)
23:39: Found Spy Cookie: belnk cookie
23:39: rauno@belnk[1].txt (ID = 2292)
23:39: Found Spy Cookie: burstnet cookie
23:39: rauno@burstnet[2].txt (ID = 2336)
23:39: rauno@dist.belnk[2].txt (ID = 2293)
23:39: Found Spy Cookie: statcounter cookie
23:39: rauno@statcounter[2].txt (ID = 3447)
23:39: Cookie Sweep Complete, Elapsed Time: 00:00:01
23:39: Starting File Sweep
23:40: Found Adware: clearsearch
23:40: c:\documents and settings\guest\local settings\temp\clrsch (ID = -2147481250)
23:40: c:\documents and settings\raigo\start menu\programs\clocksync (1 subtraces) (ID = -2147481241)
23:40: Found Adware: bullguard popup ad
23:40: c:\windows\temp\bullguard (1 subtraces) (ID = -2147476409)
23:40: c:\documents and settings\kristi\local settings\temp\clrsch (ID = -2147481250)
23:41: lycos sidesearch.lnk (ID = 76058)
23:41: clocksync.lnk (ID = 53208)
23:41: Found Adware: spysheriff
23:41: secure32.html (ID = 184319)
23:41: secure32.html (ID = 184319)
23:43: a0096379.dll (ID = 134956)
23:46: a0096374.exe (ID = 83453)
23:46: The Spy Communication shield has blocked access to:
23:46: The Spy Communication shield has blocked access to:
23:50: lycos sidesearch.lnk (ID = 76058)
23:50: test.inf (ID = 49247)
23:54: a0096373.dll (ID = 51367)
0:02: bulldownload.exe (ID = 52017)
0:15: The Spy Communication shield has blocked access to:
0:15: The Spy Communication shield has blocked access to:
0:15: The Spy Communication shield has blocked access to:
0:15: The Spy Communication shield has blocked access to:
0:22: Warning: Failed to open file "c:\documents and settings\rauno\local settings\temporary internet files\content.ie5\wpo38f4r\i.p.replyall[1].gif". The system cannot find the file specified
0:23: polall1r.inf (ID = 83425)
0:23: Found Adware: comet cursor
0:23: cc.inf (ID = 53467)
0:24: gamehouse games.url (ID = 70891)
0:24: big fish games.url (ID = 70885)
0:24: flyordie games.url (ID = 70890)
0:24: big fish games.url (ID = 70885)
0:24: flyordie games.url (ID = 70890)
0:24: belt.inf (ID = 83154)
0:24: biini.inf (ID = 83199)
0:33: Found System Monitor: potentially rootkit-masked files
0:33: 00005409. (ID = 0)
0:33: 00017040. (ID = 0)
0:33: 00017042. (ID = 0)
0:33: 00000771. (ID = 0)
0:33: 00000776. (ID = 0)
0:33: 00004579. (ID = 0)
0:33: 00004588. (ID = 0)
0:33: 00004589. (ID = 0)
0:34: 00004557. (ID = 0)
0:34: 00004562. (ID = 0)
0:34: 00004570. (ID = 0)
0:34: 00000960. (ID = 0)
0:34: 00000923. (ID = 0)
0:34: 00004512. (ID = 0)
0:34: 00004514. (ID = 0)
0:34: 00017185. (ID = 0)
0:34: 00004519. (ID = 0)
0:34: 00004544. (ID = 0)
0:34: 00017249. (ID = 0)
0:34: 00017207. (ID = 0)
0:34: 00004440. (ID = 0)
0:34: 00004459. (ID = 0)
0:34: 00005714. (ID = 0)
0:34: 00005718. (ID = 0)
0:34: 00005758. (ID = 0)
0:34: 00005761. (ID = 0)
0:34: 00005785. (ID = 0)
0:34: 00005829. (ID = 0)
0:34: 00005830. (ID = 0)
0:34: 00005838. (ID = 0)
0:34: 00005865. (ID = 0)
0:34: 00005896. (ID = 0)
0:34: 00005902. (ID = 0)
0:34: 00005923. (ID = 0)
0:34: 00005927. (ID = 0)
0:35: 00005926. (ID = 0)
0:35: 00005937. (ID = 0)
0:35: 00005938. (ID = 0)
0:35: 00005978. (ID = 0)
0:35: 00006006. (ID = 0)
0:35: 00006036. (ID = 0)
0:35: 00006038. (ID = 0)
0:35: 00002581. (ID = 0)
0:35: 00002693. (ID = 0)
0:35: 00002773. (ID = 0)
0:35: 00002791. (ID = 0)
0:35: 00002801. (ID = 0)
0:35: 00002807. (ID = 0)
0:35: 00017218. (ID = 0)
0:35: 00017219. (ID = 0)
0:35: 00000042. (ID = 0)
0:35: 00004383. (ID = 0)
0:35: 00004406. (ID = 0)
0:35: 00006051. (ID = 0)
0:35: 00006074. (ID = 0)
0:35: 00006081. (ID = 0)
0:35: 00001899. (ID = 0)
0:35: 00001082. (ID = 0)
0:35: 00000869. (ID = 0)
0:35: 00000924. (ID = 0)
0:35: 00000860. (ID = 0)
0:35: 00006130. (ID = 0)
0:36: 00006151. (ID = 0)
0:36: 00006159. (ID = 0)
0:36: 00006177. (ID = 0)
0:36: 00006196. (ID = 0)
0:36: 00006207. (ID = 0)
0:36: 00006235. (ID = 0)
0:36: 00006223. (ID = 0)
0:36: 00006224. (ID = 0)
0:36: 00006241. (ID = 0)
0:36: 00006256. (ID = 0)
0:36: 00006307. (ID = 0)
0:36: 00006312. (ID = 0)
0:36: 00006361. (ID = 0)
0:36: 00006362. (ID = 0)
0:36: 00006366. (ID = 0)
0:36: 00006385. (ID = 0)
0:36: 00006396. (ID = 0)
0:36: 00006410. (ID = 0)
0:36: 00004547. (ID = 0)
0:36: 00006442. (ID = 0)
0:36: 00006449. (ID = 0)
0:36: 00006475. (ID = 0)
0:36: 00006485. (ID = 0)
0:36: 00006529. (ID = 0)
0:36: 00006540. (ID = 0)
0:36: 00006543. (ID = 0)
0:36: 00006564. (ID = 0)
0:36: 00006554. (ID = 0)
0:36: 00006559. (ID = 0)
0:36: 00006563. (ID = 0)
0:36: 00006569. (ID = 0)
0:36: 00006574. (ID = 0)
0:36: 00006617. (ID = 0)
0:36: 00006619. (ID = 0)
0:36: 00006629. (ID = 0)
0:36: 00000884. (ID = 0)
0:36: 00001108. (ID = 0)
0:36: 00001944. (ID = 0)
0:36: 00000850. (ID = 0)
0:37: 00002459. (ID = 0)
0:37: 00000844. (ID = 0)
0:37: 00001200. (ID = 0)
0:37: 00001036. (ID = 0)
0:37: 00001282. (ID = 0)
0:37: 00001253. (ID = 0)
0:37: 00002364. (ID = 0)
0:37: 00005878. (ID = 0)
0:37: 00005961. (ID = 0)
0:37: 00006348. (ID = 0)
0:37: 00004863. (ID = 0)
0:37: 00004757. (ID = 0)
0:37: 00001107. (ID = 0)
0:37: 00001106. (ID = 0)
0:37: 00001007. (ID = 0)
0:37: 00001251. (ID = 0)
0:37: 00001252. (ID = 0)
0:37: 00007155. (ID = 0)
0:37: 00007399. (ID = 0)
0:37: 00007413. (ID = 0)
0:37: 00007416. (ID = 0)
0:37: 00007435. (ID = 0)
0:37: 00004777. (ID = 0)
0:37: 00001222. (ID = 0)
0:37: 00004699. (ID = 0)
0:37: 00004722. (ID = 0)
0:37: 00001955. (ID = 0)
0:37: 00000757. (ID = 0)
0:37: 00004907. (ID = 0)
0:37: 00001914. (ID = 0)
0:37: 00002475. (ID = 0)
0:37: 00004908. (ID = 0)
0:37: 00004921. (ID = 0)
0:37: 00004645. (ID = 0)
0:37: 00003158. (ID = 0)
0:37: 00000288. (ID = 0)
0:37: 00004926. (ID = 0)
0:37: 00000001. (ID = 0)
0:37: 00001977. (ID = 0)
0:37: 00005257. (ID = 0)
0:38: 00000248. (ID = 0)
0:38: 00005259. (ID = 0)
0:38: 00001979. (ID = 0)
0:38: 00005268. (ID = 0)
0:38: 00001898. (ID = 0)
0:38: 00005269. (ID = 0)
0:38: 00005275. (ID = 0)
0:38: 00005277. (ID = 0)
0:38: 00000840. (ID = 0)
0:38: 00004964. (ID = 0)
0:38: 00001939. (ID = 0)
0:38: 00001940. (ID = 0)
0:38: 00000814. (ID = 0)
0:38: 00017225. (ID = 0)
0:38: 00000747. (ID = 0)
0:38: 00000756. (ID = 0)
0:38: 00004455. (ID = 0)
0:38: 00004460. (ID = 0)
0:38: 00001968. (ID = 0)
0:38: 00002001. (ID = 0)
0:38: 00001991. (ID = 0)
0:38: 00004838. (ID = 0)
0:38: 00004831. (ID = 0)
0:38: 00001219. (ID = 0)
0:38: 00000992. (ID = 0)
0:38: 00003163. (ID = 0)
0:38: 00017041. (ID = 0)
0:38: 00001230. (ID = 0)
0:38: 00004602. (ID = 0)
0:38: 00004607. (ID = 0)
0:38: 00000090. (ID = 0)
0:38: 00001933. (ID = 0)
0:38: 00001934. (ID = 0)
0:38: 00001994. (ID = 0)
0:38: 00002011. (ID = 0)
0:38: 00002012. (ID = 0)
0:38: 00005668. (ID = 0)
0:38: 00005700. (ID = 0)
0:38: 00005702. (ID = 0)
0:38: 00000055. (ID = 0)
0:38: 00006784. (ID = 0)
0:38: 00002471. (ID = 0)
0:38: 00001915. (ID = 0)
0:38: 00001953. (ID = 0)
0:38: 00001954. (ID = 0)
0:39: 00004898. (ID = 0)
0:39: 00002043. (ID = 0)
0:39: 00002214. (ID = 0)
0:39: 00002215. (ID = 0)
0:39: 00002220. (ID = 0)
0:39: 00002225. (ID = 0)
0:39: 00002231. (ID = 0)
0:39: 00002242. (ID = 0)
0:39: 00002249. (ID = 0)
0:39: 00002276. (ID = 0)
0:39: 00002277. (ID = 0)
0:39: 00002322. (ID = 0)
0:39: 00001871. (ID = 0)
0:39: 00001877. (ID = 0)
0:39: 00001738. (ID = 0)
0:39: 00001739. (ID = 0)
0:39: 00001742. (ID = 0)
0:39: 00001746. (ID = 0)
0:39: 00001772. (ID = 0)
0:39: 00001773. (ID = 0)
0:39: 00001776. (ID = 0)
0:39: 00001800. (ID = 0)
0:39: 00001803. (ID = 0)
0:39: 00001804. (ID = 0)
0:39: 00001807. (ID = 0)
0:39: 00001821. (ID = 0)
0:39: 00002491. (ID = 0)
0:39: 00002531. (ID = 0)
0:39: 00002537. (ID = 0)
0:39: 00002538. (ID = 0)
0:39: 00002547. (ID = 0)
0:39: 00001479. (ID = 0)
0:39: 00001486. (ID = 0)
0:40: 00001494. (ID = 0)
0:40: 00004881. (ID = 0)
0:40: 00001531. (ID = 0)
0:40: 00001535. (ID = 0)
0:40: 00001537. (ID = 0)
0:40: 00005344. (ID = 0)
0:40: 00001545. (ID = 0)
0:40: 00001566. (ID = 0)
0:40: 00001567. (ID = 0)
0:40: 00001568. (ID = 0)
0:40: 00001569. (ID = 0)
0:40: 00001570. (ID = 0)
0:40: 00001571. (ID = 0)
0:40: 00001677. (ID = 0)
0:40: 00001678. (ID = 0)
0:40: 00001679. (ID = 0)
0:40: 00001680. (ID = 0)
0:40: 00001681. (ID = 0)
0:40: 00001682. (ID = 0)
0:40: 00001692. (ID = 0)
0:40: 00001693. (ID = 0)
0:40: 00001694. (ID = 0)
0:40: 00001695. (ID = 0)
0:40: 00001696. (ID = 0)
0:40: 00001697. (ID = 0)
0:40: 00002595. (ID = 0)
0:40: 00000002. (ID = 0)
0:40: 00003201. (ID = 0)
0:40: 00003135. (ID = 0)
0:40: 00003144. (ID = 0)
0:40: 00003145. (ID = 0)
0:40: 00003113. (ID = 0)
0:40: 00003118. (ID = 0)
0:40: 00003126. (ID = 0)
0:40: 00003068. (ID = 0)
0:40: 00003070. (ID = 0)
0:40: 00003075. (ID = 0)
0:40: 00003224. (ID = 0)
0:40: 00003240. (ID = 0)
0:40: 00003244. (ID = 0)
0:40: 00003291. (ID = 0)
0:40: 00003388. (ID = 0)
0:40: 00003394. (ID = 0)
0:40: 00003395. (ID = 0)
0:40: 00003398. (ID = 0)
0:40: 00003410. (ID = 0)
0:40: 00003411. (ID = 0)
0:40: 00003429. (ID = 0)
0:40: 00003430. (ID = 0)
0:40: 00003435. (ID = 0)
0:40: 00003436. (ID = 0)
0:41: 00003440. (ID = 0)
0:41: 00003449. (ID = 0)
0:41: 00003450. (ID = 0)
0:41: 00003451. (ID = 0)
0:41: 00003464. (ID = 0)
0:41: 00003473. (ID = 0)
0:41: 00003475. (ID = 0)
0:41: 00003487. (ID = 0)
0:41: 00003490. (ID = 0)
0:41: 00003497. (ID = 0)
0:41: 00003507. (ID = 0)
0:41: 00003508. (ID = 0)
0:41: 00003534. (ID = 0)
0:41: 00003539. (ID = 0)
0:41: 00004773. (ID = 0)
0:41: 00004778. (ID = 0)
0:41: 00003710. (ID = 0)
0:41: 00003711. (ID = 0)
0:41: 00003716. (ID = 0)
0:41: 00003721. (ID = 0)
0:41: 00003727. (ID = 0)
0:41: 00003738. (ID = 0)
0:41: 00003745. (ID = 0)
0:41: 00003772. (ID = 0)
0:41: 00003773. (ID = 0)
0:41: 00003818. (ID = 0)
0:41: 00004749. (ID = 0)
0:41: 00003867. (ID = 0)
0:41: 00003873. (ID = 0)
0:41: 00003908. (ID = 0)
0:41: 00003909. (ID = 0)
0:41: 00003912. (ID = 0)
0:41: 00003916. (ID = 0)
0:41: 00003942. (ID = 0)
0:41: 00003943. (ID = 0)
0:41: 00003946. (ID = 0)
0:41: 00003970. (ID = 0)
0:41: 00003973. (ID = 0)
0:41: 00003974. (ID = 0)
0:41: 00003977. (ID = 0)
0:41: 00003991. (ID = 0)
0:41: 00004013. (ID = 0)
0:41: 00004024. (ID = 0)
0:41: 00004061. (ID = 0)
0:41: 00004067. (ID = 0)
0:41: 00004068. (ID = 0)
0:42: 00004077. (ID = 0)
0:42: 00004082. (ID = 0)
0:42: 00004089. (ID = 0)
0:42: 00004097. (ID = 0)
0:42: 00004134. (ID = 0)
0:42: 00004138. (ID = 0)
0:42: 00004140. (ID = 0)
0:42: 00004148. (ID = 0)
0:42: 00004169. (ID = 0)
0:42: 00004170. (ID = 0)
0:42: 00004171. (ID = 0)
0:42: 00004172. (ID = 0)
0:42: 00004173. (ID = 0)
0:42: 00004174. (ID = 0)
0:42: 00004280. (ID = 0)
0:42: 00004281. (ID = 0)
0:42: 00004282. (ID = 0)
0:42: 00004283. (ID = 0)
0:42: 00004284. (ID = 0)
0:42: 00004285. (ID = 0)
0:42: 00004295. (ID = 0)
0:42: 00004296. (ID = 0)
0:42: 00004297. (ID = 0)
0:42: 00004298. (ID = 0)
0:42: 00004299. (ID = 0)
0:42: 00004300. (ID = 0)
0:42: 00003100. (ID = 0)
0:42: 00002996. (ID = 0)
0:42: 00003011. (ID = 0)
0:42: 00003016. (ID = 0)
0:42: 00003015. (ID = 0)
0:42: 00002988. (ID = 0)
0:42: 00002939. (ID = 0)
0:42: 00002962. (ID = 0)
0:42: 00017209. (ID = 0)
0:42: 00004866. (ID = 0)
0:42: 00003103. (ID = 0)
0:42: 00000062. (ID = 0)
0:43: 00004432. (ID = 0)
0:43: 00002038. (ID = 0)
0:43: 00001892. (ID = 0)
0:43: 00004876. (ID = 0)
0:43: 00001902. (ID = 0)
0:43: 00004889. (ID = 0)
0:43: 00004833. (ID = 0)
0:43: 00000000. (ID = 0)
0:43: 00000782. (ID = 0)
0:43: 00000783. (ID = 0)
0:43: 00004932. (ID = 0)
0:43: 00004933. (ID = 0)
0:43: 00004613. (ID = 0)
0:43: 00004614. (ID = 0)
0:43: 00002428. (ID = 0)
0:43: 00002440. (ID = 0)
0:43: 00002442. (ID = 0)
0:43: 00002445. (ID = 0)
0:43: 00001872. (ID = 0)
0:43: 00001878. (ID = 0)
0:43: 00002532. (ID = 0)
0:43: 00002548. (ID = 0)
0:43: 00006767. (ID = 0)
0:43: 00001455. (ID = 0)
0:43: 00001457. (ID = 0)
0:43: 00001459. (ID = 0)
0:43: 00003169. (ID = 0)
0:43: 00003170. (ID = 0)
0:43: 00001437. (ID = 0)
0:43: 00005579. (ID = 0)
0:43: 00005591. (ID = 0)
0:43: 00005698. (ID = 0)
0:43: 00005728. (ID = 0)
0:43: 00005792. (ID = 0)
0:43: 00005793. (ID = 0)
0:43: 00005872. (ID = 0)
0:43: 00005873. (ID = 0)
0:43: 00005970. (ID = 0)
0:43: 00006034. (ID = 0)
0:43: 00006220. (ID = 0)
0:43: 00000194. (ID = 0)
0:43: 00000207. (ID = 0)
0:43: 00000214. (ID = 0)
0:43: 00006408. (ID = 0)
0:43: 00006473. (ID = 0)
0:43: 00006615. (ID = 0)
0:43: 00007092. (ID = 0)
0:44: 00007091. (ID = 0)
0:44: 00007088. (ID = 0)
0:44: 00007087. (ID = 0)
0:44: 00007086. (ID = 0)
0:44: 00007096. (ID = 0)
0:44: 00007084. (ID = 0)
0:44: 00007085. (ID = 0)
0:44: 00007095. (ID = 0)
0:44: 00007097. (ID = 0)
0:44: 00007094. (ID = 0)
0:44: 00007089. (ID = 0)
0:44: 00007090. (ID = 0)
0:44: 00007101. (ID = 0)
0:44: 00007102. (ID = 0)
0:44: 00007093. (ID = 0)
0:44: 00007100. (ID = 0)
0:44: 00007099. (ID = 0)
0:44: 00007083. (ID = 0)
0:44: 00007098. (ID = 0)
0:44: 00002613. (ID = 0)
0:44: 00003355. (ID = 0)
0:44: 00003367. (ID = 0)
0:44: 00003369. (ID = 0)
0:44: 00003372. (ID = 0)
0:44: 00003868. (ID = 0)
0:44: 00003874. (ID = 0)
0:44: 00004025. (ID = 0)
0:44: 00004062. (ID = 0)
0:44: 00004078. (ID = 0)
0:44: 00004310. (ID = 0)
0:44: 00004312. (ID = 0)
0:44: 00004314. (ID = 0)
0:44: 00004360. (ID = 0)
0:45: File Sweep Complete, Elapsed Time: 01:05:39
0:45: Full Sweep has completed. Elapsed time 01:11:15
0:45: Traces Found: 709
 

SpharX

Thread Starter
Joined
Dec 25, 2005
Messages
24
Continued:

0:48: Removal process initiated
0:48: Quarantining All Traces: 180search assistant/zango
0:48: Quarantining All Traces: adlogix
0:48: Quarantining All Traces: clearsearch
0:48: Quarantining All Traces: cws-aboutblank
0:48: Quarantining All Traces: directrevenue-abetterinternet
0:48: Quarantining All Traces: ist istbar
0:48: Quarantining All Traces: potentially rootkit-masked files
1:06: The Spy Communication shield has blocked access to:
1:06: The Spy Communication shield has blocked access to:
1:33: The Spy Communication shield has blocked access to: login.180up.biz
1:33: The Spy Communication shield has blocked access to: login.180up.biz
1:33: The Spy Communication shield has blocked access to: login.180up.biz
1:33: The Spy Communication shield has blocked access to: login.180up.biz
1:33: The Spy Communication shield has blocked access to: login.180up.biz
1:33: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:34: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:35: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:36: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:37: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:38: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:39: The Spy Communication shield has blocked access to: login.180up.biz
1:40: The Spy Communication shield has blocked access to: login.180up.biz
1:40: The Spy Communication shield has blocked access to: login.180up.biz
1:40: The Spy Communication shield has blocked access to: login.180up.biz
1:40: The Spy Communication shield has blocked access to: login.180up.biz
1:40: The Spy Communication shield has blocked access to: login.180up.biz
1:40: The Spy Communication shield has blocked access to: login.180up.biz
1:40: The Spy Communication shield has blocked access to: login.180up.biz
1:40: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:41: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:42: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:43: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:44: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:45: The Spy Communication shield has blocked access to: login.180up.biz
1:46: The Spy Communication shield has blocked access to: login.180up.biz
1:46: The Spy Communication shield has blocked access to: login.180up.biz
1:46: The Spy Communication shield has blocked access to: login.180up.biz
1:46: The Spy Communication shield has blocked access to: login.180up.biz
1:46: The Spy Communication shield has blocked access to: login.180up.biz
1:46: The Spy Communication shield has blocked access to: login.180up.biz
1:46: The Spy Communication shield has blocked access to: login.180up.biz
1:46: The Spy Communication shield has blocked access to: login.180up.biz
********
23:30: | Start of Session, 25. detsember 2005. a. |
23:30: Spy Sweeper started
23:30: Messenger service has been disabled.
23:31: Your spyware definitions have been updated.
23:33: The Spy Communication shield has blocked access to:
23:33: The Spy Communication shield has blocked access to:
23:34: | End of Session, 25. detsember 2005. a. |



The ones left in the Quarantine are:

adlogix
clearsearch
directrevenue-abetterinternet
potentially rootkit-masked files

I will proceed to deleting them now.
 

SpharX

Thread Starter
Joined
Dec 25, 2005
Messages
24
So sorry for so much text.

Hijack log #2:

Logfile of HijackThis v1.99.1
Scan saved at 2:00:33, on 26.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
D:\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
F:\rauno\ovktest\ovktest.exe
C:\Program Files\yz_dck0083\YzDock.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp5\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\rauno\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BagsTypeInfo - {885BD150-E7D4-6376-FE75-EFD64FC4771B} - C:\PROGRA~1\THIRDB~1\Traytrust.dll (file missing)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Logo Rule Proxy - {337E8A26-6D92-88A7-65C3-7AD08A9C5A34} - C:\PROGRA~1\THIRDB~1\Traytrust.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [msie] msie.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [msie] msie.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Shortcut to ovktest.lnk = F:\rauno\ovktest\ovktest.exe
O4 - Startup: Shortcut to YzDock.lnk = C:\Program Files\yz_dck0083\YzDock.exe
O4 - Startup: speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9733.dll' missing
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122751540359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

SpharX

Thread Starter
Joined
Dec 25, 2005
Messages
24
Hmm, something else I found out is that winlogon.exe starts using up the CPU again when I close SpySweeper, when it's open, everything is fine. Bad thing is that my free trial ends in 13 days...:p
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Please download Process Explorer by Systernals from HERE

Also download KillBox by Option^Explicit from HERE


Then boot up in SAFE MODE

the rest of this fix must be done in safe mode.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of C:\WINDOWS\System32\msctl32.dll once and then click the kill button.

After you have killed all of the C:\WINDOWS\System32\msctl32.dll's under winlogon click OK.

Next double click on explorer.exe and again Click on the Threads tab at the top
Once you see this screen click on each instance of C:\WINDOWS\System32\msctl32.dll once and then click the kill button.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: BagsTypeInfo - {885BD150-E7D4-6376-FE75-EFD64FC4771B} - C:\PROGRA~1\THIRDB~1\Traytrust.dll (file missing)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Logo Rule Proxy - {337E8A26-6D92-88A7-65C3-7AD08A9C5A34} - C:\PROGRA~1\THIRDB~1\Traytrust.dll (file missing)
O4 - HKLM\..\Run: [msie] msie.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006a.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [msie] msie.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sywsvcs.exe
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

Now click fix checked and close HijackThis.


now Start killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED
Select delete on reboot & press the all files button

Copy the list of files below to your clipboard, ( use your mouse and select them all & right click & select copy
then on killbox press file & paste from clipboard
make sure delete on reboot & all files are enabled, press the red X button, say yes to the prompt and NO to reboot now

[Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

C:\WINDOWS\System32\angelex.exe
C:\WINDOWS\System32\msctl32.dll
c:\secure32.html
C:\WINDOWS\System32\sywsvcs.exe
C:\WINDOWS\System32\msie.exe
C:\windows\adtech2006a.exe
C:\windows\timessquare.exe

Then on killbox top bar press tools/delete temp files, in the pop up box in the NT section select temp & temp internet & cookies only and in the 9x section select c:\windows\temp & c:\temp then on the drop down user account box, select your account, then repeat for every user account on the computer

Now reboot the computer

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
and have you any idea what this is
F:\rauno\ovktest\ovktest.exe
 

SpharX

Thread Starter
Joined
Dec 25, 2005
Messages
24
Yeah, it's a small program my friend made for me and a few of my friends. We have a forum together and if someone posts, a bubble in the bottom right corner pops up saying "There are new posts in the forum by blabla." I've had that one for a while and it has never caused any problems. :)

Oh and, when I used Process Explorer, there were no C:\Windows\System32\msctl32.dll strings.

Here's log #3:

Logfile of HijackThis v1.99.1
Scan saved at 17:22:16, on 26.12.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
D:\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\rauno\ovktest\ovktest.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\yz_dck0083\YzDock.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\rauno\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [msie] msie.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Shortcut to ovktest.lnk = F:\rauno\ovktest\ovktest.exe
O4 - Startup: Shortcut to YzDock.lnk = C:\Program Files\yz_dck0083\YzDock.exe
O4 - Startup: speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9733.dll' missing
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122751540359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - D:\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
just these few leftovers to fix

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\RunServices: [msie] msie.exe


then if it's all running OK

Turn off system restore by following instructions here
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
 

SpharX

Thread Starter
Joined
Dec 25, 2005
Messages
24
That's weird, I deleted them, but these didn't go away:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

I tried deleting them like 4 times.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
in that case we still have the virus tahtcauses it on the computer

first

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

Anything inside the C:\!killbox folder which is where killbox should have made copies of all the files it deleted

the easy way is first go to c:\!killbox and select all the files inside it, rightclick and send to compressed folder, that will make a zipped copy of all the files and then upload the zipped copy

run spysweeper again please & fix everything it finds and then

reboot &
  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    • Reboot back to Normal Mode!
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top