Solved: Strange talk bubble about [email protected]

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
Hello,
I keep on getting this junk in the bottom right hand corner of my screen that says from top to bottom:
Security Alert: [email protected]
Type: Virus/Network Worm
Damage Level: High
Descripition: Virus that infects .exe files.
Recommendation: Delete/quarantine immediately
Protection: Click this baloon to download certified Antivirus software

How do I get rid of this? If it is actually spyware, how do i get rid of that?
It gets terribly annoying, if i X it out, it pops right back up in like 2 seconds.
Help!
Thanks.
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
* Click here to download HJTsetup.exe.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
Wow that was friggen fast reply, and it seems like you know what you are doing.
Thanks a lot for replying

Here's the log--no clue what it means lol, but here it is-

Logfile of HijackThis v1.99.1
Scan saved at 11:31:37 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\Web__Rebates\webrebatesv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe
C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Web__Rebates\to.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstudio.com/dp/sear...PgxoMdh959bDh/ngO6p9TwFYmsYoeoGm6Ko5eg2NMQ6S+
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\26.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\26.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\26.bin\MWSBAR.DLL
O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {D2850FF8-7735-B943-3C32-9CC34F5DA81A} - C:\WINNT\system32\sdkwk.dll (file missing)
O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: WeatherStudio348 - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [toprm] "C:\Program Files\Web__Rebates\webrebatesv.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [dc6_check] C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\23.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\23.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCfox000
O8 - Extra context menu item: Web Rebates - file://C:\Documents and Settings\Owner\Application Data\Web__Rebates\toprt\toprC5.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163034921515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINNT\ipeu32.exe (file missing)
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
You are quite infected! We have a lot to do.

Start with this........

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
Well, I'm glad you know the problem....I'm only 13 and if my parents see these porn ads they will kill me. And it will be embarrasing.

Well, I did the scan thingy, I believe this is what you need:



SmitFraudFix v2.197

Scan done at 23:42:55.15, Tue 06/26/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\Web__Rebates\webrebatesv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe
C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Web__Rebates\to.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\dooep.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

C:\DOCUME~1\Owner\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Video ActiveX Access\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.beyblade.com/desktop_toys/characters_m.jpg"
"SubscribedURL"="http://www.beyblade.com/desktop_toys/characters_m.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{44e670f2-d57b-4815-a576-955d17dbbf2d}"="cankered"

[HKEY_CLASSES_ROOT\CLSID\{44e670f2-d57b-4815-a576-955d17dbbf2d}\InProcServer32]
@="C:\WINNT\system32\dooep.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{44e670f2-d57b-4815-a576-955d17dbbf2d}\InProcServer32]
@="C:\WINNT\system32\dooep.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.B) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4A922769-1092-49C8-8062-18A774136340}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4A922769-1092-49C8-8062-18A774136340}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4A922769-1092-49C8-8062-18A774136340}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4A922769-1092-49C8-8062-18A774136340}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
I'm leaving 2 things for you to do - because it's late on the east coast and I will be going to bed soon. So follow these instructions and we will continue this tomorrow. :)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

=========================================================

Download the Trial version of Superantispyware Pro (SAS):
http://www.superantispyware.com/superantispyware.html?rid=3132


Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new Hijack This log.
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
Good morning, I finally got all the logs and stuff.

OK- Here's the rapport.txt thing from the first set of instructions-


SmitFraudFix v2.197

Scan done at 0:10:12.96, Wed 06/27/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{44e670f2-d57b-4815-a576-955d17dbbf2d}"="cankered"

[HKEY_CLASSES_ROOT\CLSID\{44e670f2-d57b-4815-a576-955d17dbbf2d}\InProcServer32]
@="C:\WINNT\system32\dooep.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{44e670f2-d57b-4815-a576-955d17dbbf2d}\InProcServer32]
@="C:\WINNT\system32\dooep.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINNT\system32\dooep.dll -> Hoax.Win32.Renos.gen.o
C:\WINNT\system32\dooep.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\Owner\FAVORI~1\Online Security Test.url Deleted
C:\Program Files\Video ActiveX Access\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4A922769-1092-49C8-8062-18A774136340}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4A922769-1092-49C8-8062-18A774136340}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4A922769-1092-49C8-8062-18A774136340}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4A922769-1092-49C8-8062-18A774136340}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
And heres the other stuff, it didnt fit in that reply

Heres the thing from the second set of instructions:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/27/2007 at 10:09 AM

Application Version : 3.9.1008

Core Rules Database Version : 3261
Trace Rules Database Version: 1272

Scan type : Complete Scan
Total Scan Time : 09:28:29

Memory items scanned : 517
Memory threats detected : 1
Registry items scanned : 5699
Registry threats detected : 281
File items scanned : 73645
File threats detected : 263

Adware.webHancer
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WEBHDLL.DLL
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WEBHDLL.DLL
HKLM\Software\Classes\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\InprocServer32
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\InprocServer32#ThreadingModel
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\ProgID
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\Programmable
HKCR\CLSID\{C900B400-CDFE-11D3-976A-00E02913A9E0}\VersionIndependentProgID
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022
HKCR\WhIeHelperObj.WhIeHelperObj
HKCR\WhIeHelperObj.WhIeHelperObj\CurVer
HKCR\WhIeHelperObj.WhIeHelperObj.1
HKCR\WhIeHelperObj.WhIeHelperObj.1\CLSID
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\ProxyStubClsid32
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib
HKCR\Interface\{C89435B0-CDFE-11D3-976A-00E02913A9E0}\TypeLib#Version
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\0\win32
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\FLAGS
HKCR\TypeLib\{C8CB3870-CDFE-11D3-976A-00E02913A9E0}\1.0\HELPDIR
HKLM\Software\WebHancer
HKLM\Software\WebHancer#BaseDir
HKLM\Software\WebHancer\CC
HKLM\Software\WebHancer\CC#DistTag
HKLM\Software\WebHancer\CC#id
HKLM\Software\WebHancer\CC#DWLLTM
HKLM\Software\WebHancer\CC#SLNTIND
HKLM\Software\WebHancer\CC#ACCPTPS
HKLM\Software\WebHancer\ESO
HKLM\Software\WebHancer\ESO#aa
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey#UninstallString
C:\Program Files\WEBHANCER\Programs\license.txt
C:\Program Files\WEBHANCER\Programs\readme.txt
C:\Program Files\WEBHANCER\Programs\sporder.dll
C:\Program Files\WEBHANCER\Programs\whagent.exe
C:\Program Files\WEBHANCER\Programs\whAgent.ini
C:\Program Files\WEBHANCER\Programs\whinstaller.exe
C:\Program Files\WEBHANCER\Programs\whsurvey.exe
C:\Program Files\WEBHANCER\Programs
C:\Program Files\WEBHANCER
C:\Program Files\whInstall\license.txt
C:\Program Files\whInstall\readme.txt
C:\Program Files\whInstall\whAgent.inf
C:\Program Files\whInstall\whAgent.ini
C:\Program Files\whInstall\whInstaller.ini
C:\Program Files\whInstall
C:\WINNT\whAgent.inf
C:\WINNT\whInstaller.ini
C:\WINNT\WEBHDLL.DLL
C:\WINNT\WHINSTALLER.EXE

Adware.Downloader-TopRebates/WebRebates
[toprm] C:\PROGRAM FILES\WEB__REBATES\WEBREBATESV.EXE
C:\PROGRAM FILES\WEB__REBATES\WEBREBATESV.EXE
C:\DOCUMENTS AND SETTINGS\LITTLE METAL BOY\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\RDUXQ9CR\TOPR4511153I[1].GIF
C:\PROGRAM FILES\WEB__REBATES\TOPRM.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\A0113733.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\A0113734.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-15.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-16.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-2.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-8.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-9.DAT
C:\WINNT\Prefetch\WEBREBATESV.EXE-07910448.pf

Malware.SystemDoctor
[SystemDoctor 2006 Free] C:\PROGRAM FILES\SYSTEMDOCTOR 2006 FREE\SD2006.EXE
C:\PROGRAM FILES\SYSTEMDOCTOR 2006 FREE\SD2006.EXE
HKCR\SystemDoctor.Free
HKCR\SystemDoctor.Free\CLSID
HKU\S-1-5-21-2027509828-2654207184-295066019-1003\Software\SystemDoctor 2006 Free
HKLM\Software\SystemDoctor 2006 Free
HKLM\Software\SystemDoctor 2006 Free#ProductCode
HKLM\Software\SystemDoctor 2006 Free#Abbr
HKLM\Software\SystemDoctor 2006 Free#InstallPath
HKLM\Software\SystemDoctor 2006 Free#ActivationCode
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#Inno Setup: Setup Version
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#Inno Setup: App Path
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#Inno Setup: Icon Group
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#Inno Setup: User
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#Inno Setup: Selected Tasks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#Inno Setup: Deselected Tasks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#QuietUninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#URLUpdateInfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USDR6_is1#NoRepair
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#SystemDoctor 2006 Free [ C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan ]
C:\Program Files\SystemDoctor 2006 Free\Activate.dat
C:\Program Files\SystemDoctor 2006 Free\Activate.exe
C:\Program Files\SystemDoctor 2006 Free\atl71.dll
C:\Program Files\SystemDoctor 2006 Free\bhpv.dat
C:\Program Files\SystemDoctor 2006 Free\bhupdater.dat
C:\Program Files\SystemDoctor 2006 Free\bnlink.dat
C:\Program Files\SystemDoctor 2006 Free\DataBase.sav
C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
C:\Program Files\SystemDoctor 2006 Free\err.log
C:\Program Files\SystemDoctor 2006 Free\hmlink.dat
C:\Program Files\SystemDoctor 2006 Free\insthelp.exe
C:\Program Files\SystemDoctor 2006 Free\lapv.dat
C:\Program Files\SystemDoctor 2006 Free\License.rtf
C:\Program Files\SystemDoctor 2006 Free\lock.dat
C:\Program Files\SystemDoctor 2006 Free\mfc71.dll
C:\Program Files\SystemDoctor 2006 Free\ModelLib.dll
C:\Program Files\SystemDoctor 2006 Free\mProp
C:\Program Files\SystemDoctor 2006 Free\msvcp71.dll
C:\Program Files\SystemDoctor 2006 Free\msvcr71.dll
C:\Program Files\SystemDoctor 2006 Free\order.dll
C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
C:\Program Files\SystemDoctor 2006 Free\propbh.xml
C:\Program Files\SystemDoctor 2006 Free\pv.dat
C:\Program Files\SystemDoctor 2006 Free\readme.rtf
C:\Program Files\SystemDoctor 2006 Free\ReportListFile.dat
C:\Program Files\SystemDoctor 2006 Free\SafeMedia\Mp3DB
C:\Program Files\SystemDoctor 2006 Free\SafeMedia\MpegDB
C:\Program Files\SystemDoctor 2006 Free\SafeMedia\WaveDB
C:\Program Files\SystemDoctor 2006 Free\SafeMedia
C:\Program Files\SystemDoctor 2006 Free\sd2006url.url
C:\Program Files\SystemDoctor 2006 Free\sr.log
C:\Program Files\SystemDoctor 2006 Free\st.dat
C:\Program Files\SystemDoctor 2006 Free\support.url
C:\Program Files\SystemDoctor 2006 Free\umain.xml
C:\Program Files\SystemDoctor 2006 Free\unins000.dat
C:\Program Files\SystemDoctor 2006 Free\unins000.exe
C:\Program Files\SystemDoctor 2006 Free\up.dat
C:\Program Files\SystemDoctor 2006 Free\updater.dat
C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe
C:\Program Files\SystemDoctor 2006 Free
C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\Contact customer support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\SystemDoctor 2006 on the Web.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\SystemDoctor 2006.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version\Uninstall SystemDoctor 2006.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\SystemDoctor 2006 Unregistered Version
C:\Documents and Settings\Owner\Desktop\SystemDoctor 2006.lnk
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\USDR6_0001_D19M2108\INSTALLER.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2P8ZY9EP\SYSTEMDOCTOR2006FREEINSTALL[1].EXE
C:\WINNT\Prefetch\ACTIVATE.EXE-2CD4432C.pf
C:\WINNT\Prefetch\DCMON.EXE-012A9CCD.pf
C:\WINNT\Prefetch\INSTHELP.EXE-382CCADE.pf
C:\WINNT\Prefetch\PASMON.EXE-2140E153.pf
C:\WINNT\Prefetch\SD2006.EXE-0079AB67.pf
C:\WINNT\Prefetch\USDR6CW.EXE-02A31D1A.pf

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\Programmable
C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\26.BIN\MWSSRCAS.DLL
HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable
HKLM\Software\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\TypeLib
C:\PROGRAM FILES\MYWEBSEARCH\BAR\26.BIN\MWSBAR.DLL
HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\TypeLib
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-2027509828-2654207184-295066019-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
C:\PROGRAM FILES\MYWEBSEARCH\BAR\25.BIN\MWSOEMON.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\26.BIN\MWSOEMON.EXE

Adware.MyWay
HKLM\Software\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}\InprocServer32
C:\PROGRA~1\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
HKLM\Software\Classes\CLSID\{04079851-5845-4dea-848C-3ECD647AA554}
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}\InprocServer32
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}\InprocServer32#ThreadingModel
HKCR\CLSID\{04079851-5845-4DEA-848C-3ECD647AA554}\Programmable
C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
HKLM\Software\Classes\CLSID\{04079854-5845-4dea-848C-3ECD647AA554}
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\Control
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\InprocServer32
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\InprocServer32#ThreadingModel
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\MiscStatus
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\MiscStatus\1
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\ProgID
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\Programmable
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\TypeLib
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\Version

(SCAN CONTINUED IN NEXT REPLY)
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
HKCR\CLSID\{04079854-5845-4DEA-848C-3ECD647AA554}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04079851-5845-4dea-848C-3ECD647AA554}
HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
HKLM\Software\MyWay
HKLM\Software\MyWay\myBar
HKLM\Software\MyWay\myBar#Dir
HKLM\Software\MyWay\myBar#pid
HKLM\Software\MyWay\myBar#CurInstall
HKLM\Software\MyWay\myBar#sr
HKLM\Software\MyWay\myBar#pl
HKLM\Software\MyWay\myBar#Id
HKLM\Software\MyWay\myBar#CacheDir
HKLM\Software\MyWay\myBar#HistoryDir
HKLM\Software\MyWay\myBar#SettingsDir
HKLM\Software\MyWay\myBar#ConfigDateStamp
HKLM\Software\MyWay\myBar#LastChange
HKLM\Software\MyWay\myBar#Maximized
HKLM\Software\MyWay\myBar#Visible
HKLM\Software\MyWay\myBar\downloaded
HKLM\Software\MyWay\SearchAssistant
HKLM\Software\MyWay\SearchAssistant#Dir
HKLM\Software\MyWay\SearchAssistant#pid
HKLM\Software\MyWay\SearchAssistant#CurInstall
HKLM\Software\MyWay\SearchAssistant#sr
HKLM\Software\MyWay\SearchAssistant#pl
HKLM\Software\MyWay\SearchAssistant#Id
HKLM\Software\MyWay\SearchAssistant#CacheDir
HKLM\Software\MyWay\SearchAssistant#ConfigDateStamp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#UrlInfoAbout
C:\Program Files\MyWay\myBar
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\1.bin
C:\Program Files\MyWay\SrchAstt\Cache\002A5C1D
C:\Program Files\MyWay\SrchAstt\Cache\01B064DF
C:\Program Files\MyWay\SrchAstt\Cache\0FA7F2AB
C:\Program Files\MyWay\SrchAstt\Cache\files.ini
C:\Program Files\MyWay\SrchAstt\Cache
C:\Program Files\MyWay\SrchAstt
C:\Program Files\MyWay

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Joshua\Cookies\[email protected][1].txt
C:\Documents and Settings\Joshua\Cookies\[email protected][1].txt
C:\Documents and Settings\Joshua\Cookies\[email protected][1].txt
C:\Documents and Settings\Joshua\Cookies\[email protected][2].txt
C:\Documents and Settings\Joshua\Cookies\[email protected][1].txt
C:\Documents and Settings\Joshua\Cookies\[email protected][1].txt
C:\Documents and Settings\Joshua\Cookies\[email protected][2].txt
C:\Documents and Settings\Joshua\Cookies\[email protected][1].txt
C:\Documents and Settings\Little Metal Boy\Cookies\little metal [email protected][1].txt
C:\Documents and Settings\Little Metal Boy\Cookies\little metal [email protected][1].txt
C:\Documents and Settings\Little Metal Boy\Cookies\little metal [email protected][1].txt
C:\Documents and Settings\Little Metal Boy\Cookies\little metal [email protected][1].txt

Trojan.SmartFinder
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW#UninstallString

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#DC6_check [ C:\Program Files\SystemDoctor 2006 Free\dcmon.exe ]

Adware.Cydoor
HKU\S-1-5-21-2027509828-2654207184-295066019-1003\Software\Cydoor
HKLM\Software\Cydoor
HKLM\Software\Cydoor#AdwrCnt

Trojan.Spyware Stormer
C:\Program Files\Spyware Stormer

Malware.DriveCleaner
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#PAS_Check [ C:\Program Files\SystemDoctor 2006 Free\pasmon.exe ]

Adware.Zango Toolbar/Hb
HKCR\Wallpaper.WallpaperManager
HKCR\Wallpaper.WallpaperManager\CLSID
HKCR\Wallpaper.WallpaperManager\CurVer
HKCR\Wallpaper.WallpaperManager.1
HKCR\Wallpaper.WallpaperManager.1\CLSID
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\InprocServer32
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\InprocServer32#ThreadingModel
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\ProgID
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\Programmable
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\TypeLib
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\VersionIndependentProgID
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\0
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\0\win32
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\FLAGS
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\HELPDIR
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid32
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib#Version
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP546\A0106881.DLL

Malware.SpyLocked
HKCR\TypeLib\{099A05C2-CDA0-41FF-9A38-DD8B6149A766}
HKCR\TypeLib\{099A05C2-CDA0-41FF-9A38-DD8B6149A766}\1.0
HKCR\TypeLib\{099A05C2-CDA0-41FF-9A38-DD8B6149A766}\1.0\0
HKCR\TypeLib\{099A05C2-CDA0-41FF-9A38-DD8B6149A766}\1.0\0\win32
HKCR\TypeLib\{099A05C2-CDA0-41FF-9A38-DD8B6149A766}\1.0\FLAGS
HKCR\TypeLib\{099A05C2-CDA0-41FF-9A38-DD8B6149A766}\1.0\HELPDIR
HKCR\Interface\{2F223FDC-164A-492C-82D0-055FD8CE349C}
HKCR\Interface\{2F223FDC-164A-492C-82D0-055FD8CE349C}\ProxyStubClsid
HKCR\Interface\{2F223FDC-164A-492C-82D0-055FD8CE349C}\ProxyStubClsid32
HKCR\Interface\{2F223FDC-164A-492C-82D0-055FD8CE349C}\TypeLib
HKCR\Interface\{2F223FDC-164A-492C-82D0-055FD8CE349C}\TypeLib#Version
HKCR\Interface\{4D3BC08F-3C13-4CD1-80F4-F5A7B7D0388F}
HKCR\Interface\{4D3BC08F-3C13-4CD1-80F4-F5A7B7D0388F}\ProxyStubClsid
HKCR\Interface\{4D3BC08F-3C13-4CD1-80F4-F5A7B7D0388F}\ProxyStubClsid32
HKCR\Interface\{4D3BC08F-3C13-4CD1-80F4-F5A7B7D0388F}\TypeLib
HKCR\Interface\{4D3BC08F-3C13-4CD1-80F4-F5A7B7D0388F}\TypeLib#Version
HKCR\Interface\{5BA3EE9B-A96E-4301-B839-388AFEFCD9F4}
HKCR\Interface\{5BA3EE9B-A96E-4301-B839-388AFEFCD9F4}\ProxyStubClsid
HKCR\Interface\{5BA3EE9B-A96E-4301-B839-388AFEFCD9F4}\ProxyStubClsid32
HKCR\Interface\{5BA3EE9B-A96E-4301-B839-388AFEFCD9F4}\TypeLib
HKCR\Interface\{5BA3EE9B-A96E-4301-B839-388AFEFCD9F4}\TypeLib#Version
HKCR\Interface\{85292BEE-65FF-41AD-8E72-B385D1C93C89}
HKCR\Interface\{85292BEE-65FF-41AD-8E72-B385D1C93C89}\ProxyStubClsid
HKCR\Interface\{85292BEE-65FF-41AD-8E72-B385D1C93C89}\ProxyStubClsid32
HKCR\Interface\{85292BEE-65FF-41AD-8E72-B385D1C93C89}\TypeLib
HKCR\Interface\{85292BEE-65FF-41AD-8E72-B385D1C93C89}\TypeLib#Version
HKCR\Interface\{861ADDA2-0216-49AC-AA5B-62F64F1D91D1}
HKCR\Interface\{861ADDA2-0216-49AC-AA5B-62F64F1D91D1}\ProxyStubClsid
HKCR\Interface\{861ADDA2-0216-49AC-AA5B-62F64F1D91D1}\ProxyStubClsid32
HKCR\Interface\{861ADDA2-0216-49AC-AA5B-62F64F1D91D1}\TypeLib
HKCR\Interface\{861ADDA2-0216-49AC-AA5B-62F64F1D91D1}\TypeLib#Version
HKCR\Interface\{8D3014AE-0854-4222-A733-D9DD0149D9FA}
HKCR\Interface\{8D3014AE-0854-4222-A733-D9DD0149D9FA}\ProxyStubClsid
HKCR\Interface\{8D3014AE-0854-4222-A733-D9DD0149D9FA}\ProxyStubClsid32
HKCR\Interface\{8D3014AE-0854-4222-A733-D9DD0149D9FA}\TypeLib
HKCR\Interface\{8D3014AE-0854-4222-A733-D9DD0149D9FA}\TypeLib#Version
HKCR\Interface\{9A9E938C-4A18-4B36-A973-DADCD8A1C268}
HKCR\Interface\{9A9E938C-4A18-4B36-A973-DADCD8A1C268}\ProxyStubClsid
HKCR\Interface\{9A9E938C-4A18-4B36-A973-DADCD8A1C268}\ProxyStubClsid32
HKCR\Interface\{9A9E938C-4A18-4B36-A973-DADCD8A1C268}\TypeLib
HKCR\Interface\{9A9E938C-4A18-4B36-A973-DADCD8A1C268}\TypeLib#Version
HKCR\Interface\{9C4D0D3F-F36E-42A3-9B35-A43C08AB1866}
HKCR\Interface\{9C4D0D3F-F36E-42A3-9B35-A43C08AB1866}\ProxyStubClsid
HKCR\Interface\{9C4D0D3F-F36E-42A3-9B35-A43C08AB1866}\ProxyStubClsid32
HKCR\Interface\{9C4D0D3F-F36E-42A3-9B35-A43C08AB1866}\TypeLib
HKCR\Interface\{9C4D0D3F-F36E-42A3-9B35-A43C08AB1866}\TypeLib#Version
HKCR\Interface\{ABD41A08-5C4D-4CDB-8310-A681E73755BF}
HKCR\Interface\{ABD41A08-5C4D-4CDB-8310-A681E73755BF}\ProxyStubClsid
HKCR\Interface\{ABD41A08-5C4D-4CDB-8310-A681E73755BF}\ProxyStubClsid32
HKCR\Interface\{ABD41A08-5C4D-4CDB-8310-A681E73755BF}\TypeLib
HKCR\Interface\{ABD41A08-5C4D-4CDB-8310-A681E73755BF}\TypeLib#Version
HKCR\Interface\{B151B421-A97B-4C1D-B555-EED8A35BA5C8}
HKCR\Interface\{B151B421-A97B-4C1D-B555-EED8A35BA5C8}\ProxyStubClsid
HKCR\Interface\{B151B421-A97B-4C1D-B555-EED8A35BA5C8}\ProxyStubClsid32
HKCR\Interface\{B151B421-A97B-4C1D-B555-EED8A35BA5C8}\TypeLib
HKCR\Interface\{B151B421-A97B-4C1D-B555-EED8A35BA5C8}\TypeLib#Version
HKCR\Interface\{B3D80493-3013-4E93-A878-4CEFC401F4A6}
HKCR\Interface\{B3D80493-3013-4E93-A878-4CEFC401F4A6}\ProxyStubClsid
HKCR\Interface\{B3D80493-3013-4E93-A878-4CEFC401F4A6}\ProxyStubClsid32
HKCR\Interface\{B3D80493-3013-4E93-A878-4CEFC401F4A6}\TypeLib
HKCR\Interface\{B3D80493-3013-4E93-A878-4CEFC401F4A6}\TypeLib#Version
HKCR\Interface\{BDC7BB72-6C19-415D-86C3-76CC46EC00A9}
HKCR\Interface\{BDC7BB72-6C19-415D-86C3-76CC46EC00A9}\ProxyStubClsid
HKCR\Interface\{BDC7BB72-6C19-415D-86C3-76CC46EC00A9}\ProxyStubClsid32
HKCR\Interface\{BDC7BB72-6C19-415D-86C3-76CC46EC00A9}\TypeLib
HKCR\Interface\{BDC7BB72-6C19-415D-86C3-76CC46EC00A9}\TypeLib#Version
HKCR\Interface\{CE351B84-F0D6-4FA0-AAD7-3C0616EA647E}
HKCR\Interface\{CE351B84-F0D6-4FA0-AAD7-3C0616EA647E}\ProxyStubClsid
HKCR\Interface\{CE351B84-F0D6-4FA0-AAD7-3C0616EA647E}\ProxyStubClsid32
HKCR\Interface\{CE351B84-F0D6-4FA0-AAD7-3C0616EA647E}\TypeLib
HKCR\Interface\{CE351B84-F0D6-4FA0-AAD7-3C0616EA647E}\TypeLib#Version
HKCR\Interface\{D64DCDAE-38CD-488C-A85C-00A0B5C03AE8}
HKCR\Interface\{D64DCDAE-38CD-488C-A85C-00A0B5C03AE8}\ProxyStubClsid
HKCR\Interface\{D64DCDAE-38CD-488C-A85C-00A0B5C03AE8}\ProxyStubClsid32
HKCR\Interface\{D64DCDAE-38CD-488C-A85C-00A0B5C03AE8}\TypeLib
HKCR\Interface\{D64DCDAE-38CD-488C-A85C-00A0B5C03AE8}\TypeLib#Version
HKCR\Interface\{D9F4D801-2431-465A-B754-AB9E3B649E8C}
HKCR\Interface\{D9F4D801-2431-465A-B754-AB9E3B649E8C}\ProxyStubClsid
HKCR\Interface\{D9F4D801-2431-465A-B754-AB9E3B649E8C}\ProxyStubClsid32
HKCR\Interface\{D9F4D801-2431-465A-B754-AB9E3B649E8C}\TypeLib
HKCR\Interface\{D9F4D801-2431-465A-B754-AB9E3B649E8C}\TypeLib#Version
HKCR\Interface\{E0DBB136-FCD7-4180-9207-D4A9E822002E}
HKCR\Interface\{E0DBB136-FCD7-4180-9207-D4A9E822002E}\ProxyStubClsid
HKCR\Interface\{E0DBB136-FCD7-4180-9207-D4A9E822002E}\ProxyStubClsid32
HKCR\Interface\{E0DBB136-FCD7-4180-9207-D4A9E822002E}\TypeLib
HKCR\Interface\{E0DBB136-FCD7-4180-9207-D4A9E822002E}\TypeLib#Version
C:\Program Files\SpyLocked 4.3\SpyLocked 4.3.exe
C:\Program Files\SpyLocked 4.3
C:\WINNT\Prefetch\SPYLOCKED 4.3.EXE-042F4298.pf

Trojan.Media-Codec/V3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in#UninstallString

Adware.180solutions/ZangoSearch
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0LKTYNOP\JESSICA%20SIMPSON%20WET%20T-SHIRT_ENCRYPTED[1].WMV
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0N73IWT5\RACHEL%20HUNTER%20TOPLESS_ENCRYPTED[1].WMV
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2P8ZY9EP\BRITNEY%20SPEARS%20SEE%20THROUGH_ENCRYPTED[1].WMV
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2P8ZY9EP\SALMA%20HAYEK%20AMAZING%20BOOBS_ENCRYPTED[1].WMV
C:\RECYCLER\S-1-5-21-2027509828-2654207184-295066019-1003\DC56.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP550\A0106988.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP550\A0106989.DLL

Adware.WebRebates
C:\PROGRAM FILES\WEB__REBATES\TO.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\A0113735.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-10.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-17.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\SNAPSHOT\MFEX-3.DAT
C:\WINNT\Prefetch\TO.EXE-37B88559.pf

Browser Hijacker.Favorites
C:\RECYCLER\S-1-5-21-2027509828-2654207184-295066019-1003\DC66.URL
C:\RECYCLER\S-1-5-21-2027509828-2654207184-295066019-1003\DC67.URL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\A0113783.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP589\A0113784.ICO

Trace.Known Threat Sources
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\U52ZI1SZ\small-part-b[1].jpg
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\KM9V2KTL\small-part-c[1].jpg
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\KM9V2KTL\10-30935822[1].htm
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\X8ZCLUPR\table-2[1].gif
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\U52ZI1SZ\shield[2].gif
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\KM9V2KTL\side-left[1].jpg
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\RDUXQ9CR\corner-left[1].gif
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\KM9V2KTL\download[2].gif
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\RDUXQ9CR\table-3[1].gif
C:\Documents and Settings\Little Metal Boy\Local Settings\Temporary Internet Files\Content.IE5\X8ZCLUPR\table-4[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\h2_bg[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\main_bg_fill[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\log2[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\home[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\images[1].js
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\btn_features[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\sep[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\button_privacy[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\small-part-b[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\small-part-c[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\bot_r[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\10-30935822[1].htm
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\button_affiliates[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\btn_affiliates[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\top1_menu[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\CAMFG16N.js
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\btn_buynow[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\btn_overview[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\anim[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\top1[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\table-2[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\h1_bg[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\logo[3].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\logo[2].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\btn_freescan[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\bot_bg[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\side-left[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\button_support[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\corner-left[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\ico2[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\top_pic2[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\button_features[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\download[2].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\button_download[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\wav_banner[1].swf
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\special_offer[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\email[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\top_bg[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\button_company[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\viruslocker[1].htm
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\button_buy[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\table-3[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\slogan[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\main_bg[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\logotype[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\checksoft[2].js
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\button2[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\shield[2].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\CAEV63M1.gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\style[2].css
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\ico1[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\box[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\btn_company[1].jpg
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\main[4].css
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\table-4[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0LKTYNOP\2007[1].htm
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJEBA16Z\what[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\btn[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\zango_info[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\Britney%20Spears%20Green%20Bikini%20Top_encrypted[1].wmv
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2P8ZY9EP\navv_bg[1].gif
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0N73IWT5\btn_buy[1].jpg
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
And after this chaos, I believe you wanted a Hijack This log again :)

Logfile of HijackThis v1.99.1
Scan saved at 11:02:23 AM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D2850FF8-7735-B943-3C32-9CC34F5DA81A} - C:\WINNT\system32\sdkwk.dll (file missing)
O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: WeatherStudio348 - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\23.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\23.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCfox000
O8 - Extra context menu item: Web Rebates - file://C:\Documents and Settings\Owner\Application Data\Web__Rebates\toprt\toprC5.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163034921515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINNT\ipeu32.exe (file missing)



Alrighty, theres the stuff. Thanks for your help so far!
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Program Files\SystemDoctor 2006 Free
C:\Program Files\MyWebSearch

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {D2850FF8-7735-B943-3C32-9CC34F5DA81A} - C:\WINNT\system32\sdkwk.dll (file missing)

O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\23.bin\MWSOEMON.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\23.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZCfox000

O8 - Extra context menu item: Web Rebates - file://C:\Documents and Settings\Owner\Application Data\Web__Rebates\toprt\toprC5.htm

O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINNT\ipeu32.exe (file missing)


Reboot and post another Hijack This log please.
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
Here's the log after the avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ajhcvgff

*******************

Script file located at: \??\C:\Documents and Settings\kdjhrveq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Program Files\SystemDoctor 2006 Free deleted successfully.
Folder C:\Program Files\MyWebSearch deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
And here's the Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 9:59:28 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: WeatherStudio348 - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163034921515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - C:\WINNT\ipeu32.exe (file missing)
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find:

Network Security Service

Right click and choose "Properties".
On the "General" tab under "Service Status" click the "Stop" button to stop the service.
Beside "Startup Type" in the dropdown menu select "Disabled".
Click Apply then OK.
Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service.
If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

In Hijack This, click on the "Open Misc Tools section" button.
Next click the "Delete an NT service" button.
Copy and paste the following in that box:

NSS

Click OK.

Reboot, post new log.
 

I_HATE_SPYWARE

Thread Starter
Joined
Jun 26, 2007
Messages
12
Logfile of HijackThis v1.99.1
Scan saved at 11:31:21 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFDD804F-A7F8-4395-93D2-66A85DA2BDAB} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: WeatherStudio348 - {15757333-2BCA-4B77-A807-D0955132F812} - C:\Program Files\WeatherStudio348\bin\WeatherStudio348.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163034921515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Owner\Desktop\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top