# New Poly Win32 Problem



## Moe83 (Jan 4, 2006)

HELP!!!!!!!!!!!!!!!!!!

McAfee says a virus has been detected. The file C:\\WINDOWS\crnh.exe is infected by the New Poly Win32 virus and cannot be cleaned. I have run the virus control and it cannot quarantine, delete, or fix it.

I've read similar posts and here is my log from Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 6:22:21 PM, on 1/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\meqpc.dll/sp.html#10001%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {19C15D9B-ED76-52EE-036B-5591AF55B4A5} - C:\WINDOWS\mfccl32.dll
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Class - {A7380E2D-065F-36BF-ACBE-56A6484317E0} - C:\WINDOWS\system32\sysls32.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O2 - BHO: Class - {BEB8A8DE-743E-9BF5-DBA7-230CFF21DEDA} - C:\WINDOWS\system32\javaur.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\Documents and Settings\Administrator\winfw.exe
O4 - HKLM\..\Run: [REGRUN] C:\Documents and Settings\Administrator\reg.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\RunServices: [Windows] run.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/Bridge-c139.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crnh.exe" /s (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

PLEASE HELP!!!!!!
THANKS


----------



## JSntgRvr (Jul 1, 2003)

Please download WebRoot SpySweeper (It's a 2 week trial):

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

Click the Free Trial link under "Downloads/SpySweeper" to download the program.

Install it. Once the program is installed, it will open.

It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.

Under What to Sweep please put a check next to the following:

* Sweep Memory
* Sweep Registry
* Sweep Cookies
* Sweep All User Accounts
* Enable Direct Disk Sweeping
* Sweep Contents of Compressed Files
* Sweep for Rootkits

Please UNCHECK Do not Sweep System Restore Folder.

Click Sweep Now on the left side.

Click the Start button.

When it's done scanning, click the Next button.

Make sure everything has a check next to it, then click the Next button.

It will remove all of the items found.

Click Session Log in the upper right corner, copy everything in that window.

Click the Summary tab and click Finish.

Perform an ActiveSCan:

http://www.pandasoftware.com/activescan/

Save the report to the desktop.

Post a new HijackThis log and the results of the Spysweeper session log and ActiveScan reports. Also post a new Hijack This log.


----------



## Moe83 (Jan 4, 2006)

Hi,

Here are the logs and reports you requested:

Logfile of HijackThis v1.99.1
Scan saved at 9:26:38 PM, on 1/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\Documents and Settings\Administrator\winfw.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crnh.exe" /s (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

********
7:43 PM: | Start of Session, Wednesday, January 04, 2006 |
7:43 PM: Spy Sweeper started
7:43 PM: Sweep initiated using definitions version 596
7:43 PM: Starting Memory Sweep
7:43 PM: The Spy Communication shield has blocked access to: www.trackhits.cc
7:43 PM: The Spy Communication shield has blocked access to: www.trackhits.cc
7:44 PM: Found Adware: cws_ns3
7:44 PM: Detected running threat: C:\WINDOWS\crnh.exe (ID = 8)
7:45 PM: Found Adware: spysheriff fakealert
7:45 PM: Detected running threat: C:\winstall.exe (ID = 216859)
7:45 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run || Windows installer (ID = 0)
7:45 PM: Detected running threat: C:\WINDOWS\mfccl32.dll (ID = 8)
7:45 PM: Detected running threat: C:\WINDOWS\system32\sysls32.dll (ID = 8)
7:45 PM: Detected running threat: C:\WINDOWS\system32\javaur.dll (ID = 8)
7:45 PM: Memory Sweep Complete, Elapsed Time: 00:02:38
7:45 PM: Starting Registry Sweep
7:45 PM: Found Trojan Horse: autospy
7:45 PM: HKLM\software\microsoft\windows\currentversion\runservices\ || windows (ID = 103882)
7:45 PM: Found Trojan Horse: msn cookie trojan
7:45 PM: HKLM\software\microsoft\windows\currentversion\runservices\ || windows (ID = 103882)
7:45 PM: Found Trojan Horse: bf evolution
7:45 PM: HKLM\software\microsoft\windows\currentversion\runservices\ || windows (ID = 103882)
7:45 PM: Found Adware: coolwebsearch (cws)
7:45 PM: HKCR\clsid\{3d1f3c37-49ca-66d3-9877-04375ade521d}\ (2 subtraces) (ID = 107211)
7:45 PM: HKCR\clsid\{a1bd0d9e-655b-cb60-6f75-1dfc720aeab9}\ (2 subtraces) (ID = 107886)
7:45 PM: HKLM\software\classes\clsid\{3d1f3c37-49ca-66d3-9877-04375ade521d}\ (2 subtraces) (ID = 108599)
7:45 PM: HKLM\software\classes\clsid\{a1bd0d9e-655b-cb60-6f75-1dfc720aeab9}\ (2 subtraces) (ID = 109269)
7:45 PM: Found Adware: cws-aboutblank
7:45 PM: HKCR\clsid\{b38f516e-48f2-cdbb-7d76-e0cfbcdbee45}\ (2 subtraces) (ID = 113906)
7:45 PM: HKCR\clsid\{0b4f9b2c-f81d-7c42-ae33-07f0fcb846ec}\ (2 subtraces) (ID = 117601)
7:45 PM: HKCR\clsid\{07a70617-8d17-a480-a5cf-0fca3c65180d}\ (2 subtraces) (ID = 117684)
7:45 PM: HKCR\clsid\{2b5a2313-ae67-454e-9a8b-f74070e57f1b}\ (2 subtraces) (ID = 117744)
7:45 PM: HKCR\clsid\{7e2b347a-52aa-597f-9371-80822a8d1263}\ (2 subtraces) (ID = 117988)
7:45 PM: HKCR\clsid\{8f60435f-df74-6308-e8cb-509d69906821}\ (2 subtraces) (ID = 118033)
7:45 PM: HKCR\clsid\{15e6172a-5f7d-3085-1e94-14da8d1a4479}\ (2 subtraces) (ID = 118084)
7:45 PM: HKCR\clsid\{30e36b0a-ca1d-18e7-7fd2-9ba91d4d1710}\ (2 subtraces) (ID = 118126)
7:45 PM: HKCR\clsid\{69a88c5e-04e5-741d-6ca2-9cb5374eb263}\ (2 subtraces) (ID = 118242)
7:45 PM: HKCR\clsid\{8007f30a-add5-7e61-d29c-8f166bc8a3dd}\ (2 subtraces) (ID = 118535)
7:45 PM: HKCR\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 118649)
7:45 PM: HKCR\clsid\{abff8236-dcbd-e17b-0a69-6fd85fa199fe}\ (2 subtraces) (ID = 118812)
7:45 PM: HKCR\clsid\{bc0dc8bd-646d-fa46-8739-116b4f8b8228}\ (2 subtraces) (ID = 118909)
7:45 PM: HKCR\clsid\{be5dcdbc-54d3-95ea-b258-2d53bd817431}\ (2 subtraces) (ID = 118926)
7:45 PM: HKCR\clsid\{c2fe095e-5ba7-fbc8-5387-2878c932a44f}\ (2 subtraces) (ID = 118943)
7:45 PM: HKCR\clsid\{c35c2f78-0e5e-f4aa-fd24-04cc74056392}\ (2 subtraces) (ID = 118983)
7:45 PM: HKCR\clsid\{d063e7a9-f6b2-80f8-44b2-f8210fdedf67}\ (2 subtraces) (ID = 119085)
7:45 PM: HKCR\clsid\{db054d56-eea3-c985-bedb-3e646a49fa44}\ (2 subtraces) (ID = 119155)
7:45 PM: HKCR\clsid\{de064cf5-809e-a243-cc14-f5427e5967a1}\ (2 subtraces) (ID = 119183)
7:45 PM: HKCR\clsid\{df7346f5-4eb1-7f19-9320-5e86cbcbda80}\ (2 subtraces) (ID = 119196)
7:45 PM: HKCR\clsid\{ec6cc6a4-2de4-7d97-7906-9d8567369627}\ (2 subtraces) (ID = 119301)
7:45 PM: HKCR\clsid\{fc92c3de-f786-c2a4-4565-359ecf140e14}\ (2 subtraces) (ID = 119436)
7:45 PM: HKLM\software\classes\clsid\{0b4f9b2c-f81d-7c42-ae33-07f0fcb846ec}\ (2 subtraces) (ID = 119482)
7:45 PM: HKLM\software\classes\clsid\{07a70617-8d17-a480-a5cf-0fca3c65180d}\ (2 subtraces) (ID = 119560)
7:45 PM: HKLM\software\classes\clsid\{2b5a2313-ae67-454e-9a8b-f74070e57f1b}\ (2 subtraces) (ID = 119620)
7:45 PM: HKLM\software\classes\clsid\{7e2b347a-52aa-597f-9371-80822a8d1263}\ (2 subtraces) (ID = 119863)
7:45 PM: HKLM\software\classes\clsid\{8f60435f-df74-6308-e8cb-509d69906821}\ (2 subtraces) (ID = 119907)
7:45 PM: HKLM\software\classes\clsid\{15e6172a-5f7d-3085-1e94-14da8d1a4479}\ (2 subtraces) (ID = 119956)
7:45 PM: HKLM\software\classes\clsid\{30e36b0a-ca1d-18e7-7fd2-9ba91d4d1710}\ (2 subtraces) (ID = 119995)
7:45 PM: HKLM\software\classes\clsid\{69a88c5e-04e5-741d-6ca2-9cb5374eb263}\ (2 subtraces) (ID = 120099)
7:45 PM: HKLM\software\classes\clsid\{338e88e9-d821-1c15-a00d-907ab980e988}\ (2 subtraces) (ID = 120215)
7:45 PM: HKLM\software\classes\clsid\{8007f30a-add5-7e61-d29c-8f166bc8a3dd}\ (2 subtraces) (ID = 120382)
7:45 PM: HKLM\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 120496)
7:45 PM: HKLM\software\classes\clsid\{abff8236-dcbd-e17b-0a69-6fd85fa199fe}\ (2 subtraces) (ID = 120651)
7:45 PM: HKLM\software\classes\clsid\{bc0dc8bd-646d-fa46-8739-116b4f8b8228}\ (2 subtraces) (ID = 120746)
7:45 PM: HKLM\software\classes\clsid\{be5dcdbc-54d3-95ea-b258-2d53bd817431}\ (2 subtraces) (ID = 120763)
7:45 PM: HKLM\software\classes\clsid\{c35c2f78-0e5e-f4aa-fd24-04cc74056392}\ (2 subtraces) (ID = 120820)
7:45 PM: HKLM\software\classes\clsid\{d063e7a9-f6b2-80f8-44b2-f8210fdedf67}\ (2 subtraces) (ID = 120921)
7:45 PM: HKLM\software\classes\clsid\{db054d56-eea3-c985-bedb-3e646a49fa44}\ (2 subtraces) (ID = 120991)
7:45 PM: HKLM\software\classes\clsid\{de064cf5-809e-a243-cc14-f5427e5967a1}\ (2 subtraces) (ID = 121020)
7:45 PM: HKLM\software\classes\clsid\{df7346f5-4eb1-7f19-9320-5e86cbcbda80}\ (2 subtraces) (ID = 121031)
7:45 PM: HKLM\software\classes\clsid\{ec6cc6a4-2de4-7d97-7906-9d8567369627}\ (2 subtraces) (ID = 121132)
7:45 PM: HKLM\software\classes\clsid\{fc92c3de-f786-c2a4-4565-359ecf140e14}\ (2 subtraces) (ID = 121261)
7:45 PM: Found Adware: cws_ns3 hijacker
7:45 PM: HKLM\software\microsoft\internet explorer\main\ || default_search_url (ID = 123394)
7:45 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 123395)
7:45 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 123396)
7:45 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 123399)
7:45 PM: Found Adware: cws_tiny0
7:45 PM: HKCR\clsid\{4a210c09-c3ae-d36c-3ec5-0d7723985463}\ (2 subtraces) (ID = 123837)
7:45 PM: HKCR\clsid\{8d1df6ce-07e4-c211-83f6-537e054edc98}\ (2 subtraces) (ID = 123862)
7:45 PM: HKCR\clsid\{67a0e5dd-d21d-3f1c-2fd5-07c50b27b4bd}\ (2 subtraces) (ID = 123889)
7:45 PM: HKCR\clsid\{8424a742-21c5-e92b-d6a5-2b565d796258}\ (2 subtraces) (ID = 123936)
7:45 PM: HKCR\clsid\{d3e61c7f-bd83-ea01-13f4-464c2595c096}\ (2 subtraces) (ID = 124005)
7:45 PM: HKCR\clsid\{dc690906-09e2-710f-7c3b-f2f819b49b2a}\ (2 subtraces) (ID = 124017)
7:45 PM: HKCR\clsid\{f80f0d50-2d6c-75c3-606a-3dfe0f4fc5d0}\ (2 subtraces) (ID = 124034)
7:45 PM: HKCR\clsid\{fba372da-732c-2096-07db-aa0e71833d10}\ (2 subtraces) (ID = 124040)
7:45 PM: HKLM\software\classes\clsid\{4a210c09-c3ae-d36c-3ec5-0d7723985463}\ (2 subtraces) (ID = 124071)
7:45 PM: HKLM\software\classes\clsid\{8d1df6ce-07e4-c211-83f6-537e054edc98}\ (2 subtraces) (ID = 124096)
7:45 PM: HKLM\software\classes\clsid\{67a0e5dd-d21d-3f1c-2fd5-07c50b27b4bd}\ (2 subtraces) (ID = 124121)
7:45 PM: HKLM\software\classes\clsid\{8424a742-21c5-e92b-d6a5-2b565d796258}\ (2 subtraces) (ID = 124164)
7:45 PM: HKLM\software\classes\clsid\{dc690906-09e2-710f-7c3b-f2f819b49b2a}\ (2 subtraces) (ID = 124246)
7:45 PM: HKLM\software\classes\clsid\{f80f0d50-2d6c-75c3-606a-3dfe0f4fc5d0}\ (2 subtraces) (ID = 124262)
7:45 PM: HKLM\software\classes\clsid\{fba372da-732c-2096-07db-aa0e71833d10}\ (2 subtraces) (ID = 124267)
7:45 PM: Found Adware: internetoptimizer
7:45 PM: HKLM\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 128912)
7:45 PM: Found Adware: purityscan
7:45 PM: HKLM\software\microsoft\windows\currentversion\run\ || regrun (ID = 139064)
7:45 PM: Found Adware: spysheriff
7:45 PM: HKLM\software\microsoft\windows\currentversion\uninstall\spysheriff\ (5 subtraces) (ID = 142124)
7:45 PM: Found Adware: winad
7:45 PM: HKCR\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147155)
7:45 PM: HKCR\mediaaccx.installer\ (3 subtraces) (ID = 147158)
7:45 PM: HKLM\software\classes\clsid\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (6 subtraces) (ID = 147169)
7:45 PM: HKLM\software\classes\mediaaccx.installer\ (3 subtraces) (ID = 147172)
7:45 PM: HKLM\software\media access\ (7 subtraces) (ID = 147182)
7:45 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (10 subtraces) (ID = 147185)
7:45 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
7:45 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaaccx.dll (ID = 147221)
7:46 PM: HKCR\clsid\{9adc5b7c-f0fa-a733-e146-85ce8933dc68}\ (2 subtraces) (ID = 980881)
7:46 PM: HKLM\software\classes\clsid\{9adc5b7c-f0fa-a733-e146-85ce8933dc68}\ (2 subtraces) (ID = 980889)
7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\microsoft\internet explorer\main\ || search bar (ID = 123390)
7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\microsoft\internet explorer\main\ || search page (ID = 123391)
7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\microsoft\internet explorer\search\ || searchassistant (ID = 123398)
7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\spysheriff\ (30 subtraces) (ID = 142125)
7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\sno2\ (ID = 782236)
7:46 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\software\microsoft\windows\currentversion\run\ || windows installer (ID = 1088024)
7:46 PM: Registry Sweep Complete, Elapsed Time:00:00:23
7:46 PM: Starting Cookie Sweep
7:46 PM: Found Spy Cookie: 247realmedia cookie
7:46 PM: [email protected][1].txt (ID = 1953)
7:46 PM: Found Spy Cookie: about cookie
7:46 PM: [email protected][2].txt (ID = 2037)
7:46 PM: Found Spy Cookie: yieldmanager cookie
7:46 PM: [email protected][2].txt (ID = 3751)
7:46 PM: Found Spy Cookie: adknowledge cookie
7:46 PM: [email protected][2].txt (ID = 2072)
7:46 PM: Found Spy Cookie: hbmediapro cookie
7:46 PM: [email protected][2].txt (ID = 2768)
7:46 PM: Found Spy Cookie: precisead cookie
7:46 PM: [email protected][2].txt (ID = 3182)
7:46 PM: Found Spy Cookie: specificclick.com cookie
7:46 PM: [email protected][2].txt (ID = 3400)
7:46 PM: Found Spy Cookie: addynamix cookie
7:46 PM: [email protected][1].txt (ID = 2062)
7:46 PM: Found Spy Cookie: pointroll cookie
7:46 PM: [email protected][1].txt (ID = 3148)
7:46 PM: Found Spy Cookie: atlas dmt cookie
7:46 PM: [email protected][2].txt (ID = 2253)
7:46 PM: Found Spy Cookie: belnk cookie
7:46 PM: [email protected][1].txt (ID = 2293)
7:46 PM: Found Spy Cookie: atwola cookie
7:46 PM: [email protected][1].txt (ID = 2255)
7:46 PM: Found Spy Cookie: azjmp cookie
7:46 PM: [email protected][2].txt (ID = 2270)
7:46 PM: [email protected][2].txt (ID = 2292)
7:46 PM: Found Spy Cookie: bs.serving-sys cookie
7:46 PM: [email protected][1].txt (ID = 2330)
7:46 PM: Found Spy Cookie: gostats cookie
7:46 PM: [email protected][2].txt (ID = 2748)
7:46 PM: Found Spy Cookie: clickzs cookie
7:46 PM: [email protected][1].txt (ID = 2413)
7:46 PM: Found Spy Cookie: did-it cookie
7:46 PM: [email protected][2].txt (ID = 2523)
7:46 PM: [email protected][1].txt (ID = 2293)
7:46 PM: Found Spy Cookie: kinghost cookie
7:46 PM: [email protected][1].txt (ID = 2903)
7:46 PM: Found Spy Cookie: go.com cookie
7:46 PM: [email protected][1].txt (ID = 2729)
7:46 PM: Found Spy Cookie: 2o7.net cookie
7:46 PM: [email protected][1].txt (ID = 1958)
7:46 PM: [email protected][1].txt (ID = 1958)
7:46 PM: Found Spy Cookie: touchclarity cookie
7:46 PM: [email protected][1].txt (ID = 3567)
7:46 PM: Found Spy Cookie: partypoker cookie
7:46 PM: [email protected][1].txt (ID = 3111)
7:46 PM: Found Spy Cookie: rc cookie
7:46 PM: [email protected][1].txt (ID = 3231)
7:46 PM: Found Spy Cookie: valuead cookie
7:46 PM: [email protected][2].txt (ID = 3627)
7:46 PM: Found Spy Cookie: adjuggler cookie
7:46 PM: [email protected][1].txt (ID = 2071)
7:46 PM: Found Spy Cookie: serving-sys cookie
7:46 PM: [email protected][2].txt (ID = 3343)
7:46 PM: Found Spy Cookie: starware.com cookie
7:46 PM: [email protected][2].txt (ID = 3441)
7:46 PM: Found Spy Cookie: trafficmp cookie
7:46 PM: [email protected][2].txt (ID = 3581)
7:46 PM: [email protected][2].txt (ID = 2038)
7:46 PM: Found Spy Cookie: screensavers.com cookie
7:46 PM: [email protected][2].txt (ID = 3298)
7:46 PM: Found Spy Cookie: xiti cookie
7:46 PM: [email protected][1].txt (ID = 3717)
7:46 PM: Found Spy Cookie: yadro cookie
7:46 PM: [email protected][2].txt (ID = 3743)
7:46 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
7:46 PM: Starting File Sweep
7:46 PM: c:\program files\spysheriff (15 subtraces) (ID = -2147476679)
7:46 PM: 6.tmp (ID = 214375)
7:46 PM: 7.tmp (ID = 214375)
7:46 PM: a0013890.exe (ID = 90386)
7:46 PM: Found Adware: security iguard
7:46 PM: chmhelp.chm (ID = 75238)
7:47 PM: 5.tmp (ID = 214375)
7:47 PM: installer.exe (ID = 73121)
7:47 PM: desktop.html (ID = 178574)
7:48 PM: ntla.exe (ID = 200)
7:48 PM: winstall.exe (ID = 216859)
7:48 PM: HKU\S-1-5-21-1409082233-1078081533-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run || Windows installer (ID = 0)
7:48 PM: procmon.dll (ID = 198830)
7:49 PM: a0013883.exe (ID = 90400)
7:49 PM: msmn.exe (ID = 200)
7:49 PM: a0013876.exe (ID = 64092)
7:49 PM: Found Adware: 180search assistant/zango
7:49 PM: npzango.dll (ID = 91102)
7:49 PM: a0013891.exe (ID = 90400)
7:49 PM: a0042213.exe (ID = 204)
7:50 PM: ippl.exe (ID = 204)
7:50 PM: Found Adware: pc adprotector desktop hijacker
7:50 PM: 1e.tmp.exe (ID = 162680)
7:51 PM: crlb32.exe (ID = 200)
7:51 PM: a0045278.exe (ID = 200)
7:53 PM: a0013889.dll (ID = 90373)
7:53 PM: a0044276.ini:qmrjww (ID = 216849)
7:56 PM: Found Adware: shopathomeselect
7:56 PM: gah95on6.ini (ID = 75741)
7:56 PM: mediaaccx.dll (ID = 90412)
7:56 PM: pzmpf.dll (ID = 216849)
7:56 PM: crkxi.dll (ID = 216849)
7:57 PM: uninstall.exe (ID = 198832)
7:58 PM: ntbq.exe (ID = 204)
7:58 PM: iesecurity.dll (ID = 198829)
7:58 PM: nthp.exe (ID = 200)
7:58 PM: a0045293.ini:qmrjww (ID = 216849)
7:58 PM: sdkce.exe (ID = 200)
7:58 PM: appgb32.exe (ID = 200)
7:58 PM: a0042226.dll (ID = 216849)
7:58 PM: iemw32.exe (ID = 204)
7:59 PM: crnh.exe (ID = 204)
7:59 PM: ipeq32.exe (ID = 200)
7:59 PM: ntnv.exe (ID = 200)
7:59 PM: atlrr.exe (ID = 200)
7:59 PM: sdkil.exe (ID = 200)
7:59 PM: addzj32.exe (ID = 200)
7:59 PM: a0043276.ini:qmrjww (ID = 216849)
7:59 PM: atlpy.exe (ID = 200)
7:59 PM: a0045276.ini:qmrjww (ID = 216849)
7:59 PM: a0042214.exe (ID = 200)
7:59 PM: heur003.dll (ID = 198828)
7:59 PM: base.avd (ID = 190097)
7:59 PM: netel32.exe (ID = 200)
7:59 PM: a0045344.ini:qmrjww (ID = 216849)
7:59 PM: heur001.dll (ID = 198826)
8:00 PM: meqpc.dll (ID = 216849)
8:00 PM: spysheriff.exe (ID = 198831)
8:00 PM: dellstat.ini:qmrjww (ID = 216849)
8:00 PM: heur002.dll (ID = 198827)
8:00 PM: ipmf32.exe (ID = 200)
8:00 PM: a0045316.ini:qmrjww (ID = 216849)
8:01 PM: heur000.dll (ID = 198825)
8:01 PM: salmau.dat (ID = 93788)
8:01 PM: search the web.url (ID = 54454)
8:01 PM: a0013841.ini (ID = 75852)
8:01 PM: bln02nqv.ini (ID = 75683)
8:01 PM: 70tovmto.ini (ID = 75621)
8:01 PM: a0013842.ini (ID = 75631)
8:01 PM: only sex website.url (ID = 54373)
8:01 PM: seven days of free porn.url (ID = 54472)
8:01 PM: credit counseling.url (ID = 130668)
8:01 PM: insurance home.url (ID = 130676)
8:01 PM: mortgage life insurance.url (ID = 130681)
8:01 PM: help desk software.url (ID = 130675)
8:01 PM: ab scissor.url (ID = 130666)
8:01 PM: videos.url (ID = 130694)
8:01 PM: what is hydrocodone.url (ID = 130695)
8:01 PM: online gambling casino.url (ID = 130684)
8:01 PM: refinancing my mortgage.url (ID = 130691)
8:01 PM: debt credit card.url (ID = 130671)
8:01 PM: fha.url (ID = 130673)
8:01 PM: loan for debt consolidation.url (ID = 130677)
8:01 PM: health insurance.url (ID = 130674)
8:01 PM: personal loans online.url (ID = 130688)
8:01 PM: payroll advance.url (ID = 130687)
8:01 PM: marketing email.url (ID = 130679)
8:01 PM: prescription drugs rx online.url (ID = 130690)
8:01 PM: credit report.url (ID = 130669)
8:01 PM: tahoe vacation rental.url (ID = 130692)
8:01 PM: escorts.url (ID = 130672)
8:01 PM: order phentermine.url (ID = 130686)
8:01 PM: mortgage insurance.url (ID = 130680)
8:01 PM: personal loans with bad credit.url (ID = 130689)
8:01 PM: crm software.url (ID = 130670)
8:01 PM: nevada corporations.url (ID = 130682)
8:01 PM: unsecured bad credit loans.url (ID = 130693)
8:01 PM: loan for people with bad credit.url (ID = 130678)
8:01 PM: broadband comparison.url (ID = 130667)
8:01 PM: online betting site.url (ID = 130683)
8:01 PM: online instant loan.url (ID = 130685)
8:01 PM: a0042131.lnk (ID = 198831)
8:01 PM: a0042126.lnk (ID = 198831)
8:02 PM: File Sweep Complete, Elapsed Time: 00:15:56
8:02 PM: Full Sweep has completed. Elapsed time 00:19:04
8:02 PM: Traces Found: 439
8:04 PM: Removal process initiated
8:05 PM: Quarantining All Traces: 180search assistant/zango
8:05 PM: Quarantining All Traces: cws_ns3
8:05 PM: cws_ns3 is in use. It will be removed on reboot.
8:05 PM: C:\WINDOWS\crnh.exe is in use. It will be removed on reboot.
8:05 PM: C:\WINDOWS\mfccl32.dll is in use. It will be removed on reboot.
8:05 PM: C:\WINDOWS\system32\sysls32.dll is in use. It will be removed on reboot.
8:05 PM: C:\WINDOWS\system32\javaur.dll is in use. It will be removed on reboot.
8:05 PM: Quarantining All Traces: cws-aboutblank
8:05 PM: Quarantining All Traces: purityscan
8:05 PM: purityscan is in use. It will be removed on reboot.
8:05 PM: installer.exe is in use. It will be removed on reboot.
8:05 PM: Quarantining All Traces: spysheriff
8:05 PM: Quarantining All Traces: autospy
8:05 PM: Quarantining All Traces: bf evolution
8:05 PM: Quarantining All Traces: coolwebsearch (cws)
8:05 PM: Quarantining All Traces: cws_tiny0
8:05 PM: cws_tiny0 is in use. It will be removed on reboot.
8:05 PM: crlb32.exe is in use. It will be removed on reboot.
8:05 PM: Quarantining All Traces: internetoptimizer
8:05 PM: Quarantining All Traces: msn cookie trojan
8:05 PM: Quarantining All Traces: winad
8:05 PM: Quarantining All Traces: cws_ns3 hijacker
8:05 PM: Quarantining All Traces: pc adprotector desktop hijacker
8:05 PM: Quarantining All Traces: security iguard
8:05 PM: Quarantining All Traces: shopathomeselect
8:05 PM: Quarantining All Traces: spysheriff fakealert
8:05 PM: spysheriff fakealert is in use. It will be removed on reboot.
8:05 PM: winstall.exe is in use. It will be removed on reboot.
8:05 PM: Quarantining All Traces: 247realmedia cookie
8:05 PM: Quarantining All Traces: 2o7.net cookie
8:05 PM: Quarantining All Traces: about cookie
8:05 PM: Quarantining All Traces: addynamix cookie
8:05 PM: Quarantining All Traces: adjuggler cookie
8:05 PM: Quarantining All Traces: adknowledge cookie
8:06 PM: Quarantining All Traces: atlas dmt cookie
8:06 PM: Quarantining All Traces: atwola cookie
8:06 PM: Quarantining All Traces: azjmp cookie
8:06 PM: Quarantining All Traces: belnk cookie
8:06 PM: Quarantining All Traces: bs.serving-sys cookie
8:06 PM: Quarantining All Traces: clickzs cookie
8:06 PM: Quarantining All Traces: did-it cookie
8:06 PM: Quarantining All Traces: go.com cookie
8:06 PM: Quarantining All Traces: gostats cookie
8:06 PM: Quarantining All Traces: hbmediapro cookie
8:06 PM: Quarantining All Traces: kinghost cookie
8:06 PM: Quarantining All Traces: partypoker cookie
8:06 PM: Quarantining All Traces: pointroll cookie
8:06 PM: Quarantining All Traces: precisead cookie
8:06 PM: Quarantining All Traces: rc cookie
8:06 PM: Quarantining All Traces: screensavers.com cookie
8:06 PM: Quarantining All Traces: serving-sys cookie
8:06 PM: Quarantining All Traces: specificclick.com cookie
8:06 PM: Quarantining All Traces: starware.com cookie
8:06 PM: Quarantining All Traces: touchclarity cookie
8:06 PM: Quarantining All Traces: trafficmp cookie
8:06 PM: Quarantining All Traces: valuead cookie
8:06 PM: Quarantining All Traces: xiti cookie
8:06 PM: Quarantining All Traces: yadro cookie
8:06 PM: Quarantining All Traces: yieldmanager cookie
8:10 PM: Preparing to restart your computer. Please wait...
8:10 PM: Removal process completed. Elapsed time 00:05:38
********
7:40 PM: | Start of Session, Wednesday, January 04, 2006 |
7:40 PM: Spy Sweeper started
7:40 PM: Your spyware definitions have been updated.
7:41 PM: Warning: Failed to load image: C:\WINDOWS\CRNH.EXE
7:43 PM: | End of Session, Wednesday, January 04, 2006 |

These scans are helping. 
Thanks


----------



## Moe83 (Jan 4, 2006)

Hi,

I'm unable to paste the ActiveScan reports because the text is too long. Not sure what to do?


----------



## JSntgRvr (Jul 1, 2003)

Moe83 said:


> Hi,
> 
> I'm unable to paste the ActiveScan reports because the text is too long. Not sure what to do?


Click on Post a reply and attach the file.

Remove the following from your installed programs if these exists:

*PartyPoker
Imesh*

Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find:

*Network Security Service*

Right click and choose "Properties".

On the "General" tab under "Service Status" click the "Stop" button to stop the service.

Beside "Startup Type" in the dropdown menu select "Disabled".

Click Apply then OK.

Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. 
If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

In Hijack This, click on the "Open Misc Tools section" button. 
Next click the "Delete an NT service" button. 
Copy and paste the following in that box:

*11Fßä#·ºÄÖ`I*

(It may ot be recognized, but try)

Click OK.

Reboot

Run Hijackthis. Place a checkmark on the following lines and click on Fix Checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\Documents and Settings\Administrator\winfw.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

Boot the computer in Safe mode. Find and Delete the following files and folders:

C:\Program Files\*iMesh*
C:\Documents and Settings\Administrator\*winfw.exe*
C:\Program Files\*PartyPoker*

Post back witha fresh Hijackthis log and attach the ActiveSCan report.


----------



## Moe83 (Jan 4, 2006)

New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:03:30 PM, on 1/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


----------



## JSntgRvr (Jul 1, 2003)

Remove *Spyfighter* from your installed programs as it is considered a bogus program.

*Boot in Safe Mode. *

Delete the follloding folder:

C:\Program Files\*SpyFighter*

Delete the following files:

C:\WINDOWS\system32\*mscb.exe*
C:\WINDOWS\*sdkad32.exe*
C:\Documents and Settings\Administrator\*reg.exe*

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8pyfs3wo.default\*cookies.txt*

Clear this Folder from any files and folders:

C:\Documents and Settings\Administrator\*Cookies*

How is the computer doing?


----------



## Moe83 (Jan 4, 2006)

Hi,

The computer is running a lot better thanks to you....thank you. I deleted Party Poker and Spy Fighter from my computer but when I go to Add/Remove Programs in the Control Panel they are still showing up and I can't get rid of them??????

Also, I'm unable to change the background on my desktop and occasionally at night when I go to turn my computer off it won't shut down????

Other than that the computer is clear of any viruses or spyware.


----------



## JSntgRvr (Jul 1, 2003)

> I deleted Party Poker and Spy Fighter from my computer but when I go to Add/Remove Programs in the Control Panel they are still showing up and I can't get rid of them??????


You can remove those entries from the registry:

http://support.microsoft.com/default.aspx?scid=kb;en-us;310750&Product=winxp



> Also, I'm unable to change the background on my desktop and occasionally at night when I go to turn my computer off it won't shut down????
> 
> Other than that the computer is clear of any viruses or spyware.


I do not understand what you are saying above, but just in case is due to a hijacker, lets try this:

Click here to download smitRem.exe:

http://noahdfear.geekstogo.com/click counter/click.php?id=1

*Save the file to your desktop. 
*It is a self extracting file.
*Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop. 
*Do not do anything with it yet. You will run the RunThis.bat file later in safe mode

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Restart your computer into safe mode now.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Perform the following steps in safe mode:

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

* Go to Control Panel > Internet Options. Click on the Programs tab, then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Restart back into Windows normally now.

Download Luna.zip:

http://castlecops.com/zx/flrman1/luna.zip

Download it and unzip it to extract the luna.msstyles file 
it contains. Copy the luna.msstyles file to the C:\WINDOWS\Resources\Themes\Luna folder.

Restart your machine and go to Display Properties and you should be able to choose the XP theme again.

Keep me posted!


----------



## JSntgRvr (Jul 1, 2003)

I just realized that your system is not patched. You must obtain the latest Windows Updates.


----------

