# Need help with Tagasaurus!!!!



## incadudeF (Apr 10, 2006)

I really need help. I got Tagasaurus awhile ago and ever since then i have gotten tons of pop up adds. I cant open my Task Manager. I have AOL security but it does nothing to help get rid of this problem. I am not really experinced in computers. Can someone help me out.


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

Please do the following:

*Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## incadudeF (Apr 10, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 9:21:54 AM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\windows\mousepad9.exe
C:\WINDOWS\ms06435217784.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\cinfo.exe
C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\America Online 9.0a\shellmon.exe
c:\program files\common files\aol\1108343333\ee\aolssc.exe
c:\program files\common files\aol\1108343333\ee\aexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kqqut.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlxxerr.exe
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [alal] C:\WINDOWS\alal.exe
O4 - HKLM\..\Run: [g31kac73] C:\WINDOWS\system32\g31kac73.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Face Else Meet User] C:\Documents and Settings\All Users\Application Data\less gpl face else\bowsmove.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms06435217784] C:\WINDOWS\ms06435217784.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [{B2-20-07-73-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [w0facd81.dll] RUNDLL32.EXE w0facd81.dll,I2 00008a6100facd81
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [w014b8de.dll] RUNDLL32.EXE w014b8de.dll,I2 00008a610014b8de
O4 - HKLM\..\Run: [w0017c9d.dll] RUNDLL32.EXE w0017c9d.dll,I2 00008a6100017c9d
O4 - HKLM\..\Run: [w0017d68.dll] RUNDLL32.EXE w0017d68.dll,I2 00008a6100017d68
O4 - HKLM\..\Run: [w00b8cc9.dll] RUNDLL32.EXE w00b8cc9.dll,I2 00008a61000b8cc9
O4 - HKLM\..\Run: [w02e5e7b.dll] RUNDLL32.EXE w02e5e7b.dll,I2 00008a61002e5e7b
O4 - HKLM\..\Run: [w00160e7.dll] RUNDLL32.EXE w00160e7.dll,I2 00008a61000160e7
O4 - HKLM\..\Run: [w00177ab.dll] RUNDLL32.EXE w00177ab.dll,I2 00008a61000177ab
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [w0061c64.dll] RUNDLL32.EXE w0061c64.dll,I2 00008a6100061c64
O4 - HKLM\..\Run: [w001486e.dll] RUNDLL32.EXE w001486e.dll,I2 00008a610001486e
O4 - HKLM\..\Run: [w0011920.dll] RUNDLL32.EXE w0011920.dll,I2 00008a6100011920
O4 - HKLM\..\Run: [w0010eff.dll] RUNDLL32.EXE w0010eff.dll,I2 00008a6100010eff
O4 - HKLM\..\Run: [w009a2eb.dll] RUNDLL32.EXE w009a2eb.dll,I2 00008a610009a2eb
O4 - HKLM\..\Run: [w001413a.dll] RUNDLL32.EXE w001413a.dll,I2 00008a610001413a
O4 - HKLM\..\Run: [w00245b9.dll] RUNDLL32.EXE w00245b9.dll,I2 00008a61000245b9
O4 - HKLM\..\Run: [w00140ad.dll] RUNDLL32.EXE w00140ad.dll,I2 00008a61000140ad
O4 - HKLM\..\Run: [w0015186.dll] RUNDLL32.EXE w0015186.dll,I2 00008a6100015186
O4 - HKLM\..\Run: [w02d71aa.dll] RUNDLL32.EXE w02d71aa.dll,I2 00008a61002d71aa
O4 - HKLM\..\Run: [w06f7459.dll] RUNDLL32.EXE w06f7459.dll,I2 00008a61006f7459
O4 - HKLM\..\Run: [w00c89d6.dll] RUNDLL32.EXE w00c89d6.dll,I2 00008a61000c89d6
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [3201] C:\DOCUME~1\Owner\APPLIC~1\CHINER~1\64bitstrans.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143406887140
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoenix/4.0.0.33/MusicNow.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kbcmd - C:\WINDOWS\addins\kbcmd.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\jtj2071oe.dll (file missing)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\o0840alqedqe0.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\f8l00i3me8.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Your computer is severely infected so this will involve several steps.

*Click here* to download Look2Me-Destroyer.exe and save it to your desktop.

Close all windows before continuing.
Double-click *Look2Me-Destroyer.exe* to run it.
Put a check next to *Run this program as a task.* 
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click *OK*
When Look2Me-Destroyer re-opens, click the *Scan for L2M* button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the *Remove L2M* button.
You will receive a *Done Scanning* message, click *OK*.
When completed, you will receive this message: *Done removing infected files! Look2Me-Destroyer will now shutdown your computer*, click *OK*.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\*Look2Me-Destroyer.txt* and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a *runtime error '339'* please download MSWINSCK.OCX from the link below and place it in your *C:\Windows\System32* Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


----------



## incadudeF (Apr 10, 2006)

This is my lokk tome txt.
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/10/2006 7:11:02 PM

Infected! C:\WINDOWS\system32\jtj2071oe.dll
Infected! C:\WINDOWS\system32\o0840alqedqe0.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP197\A0059741.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0060783.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0060784.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061783.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061788.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061837.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061842.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0063837.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0063887.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0065671.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0065678.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065708.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065830.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065847.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065849.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065858.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065892.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066930.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066932.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066968.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066981.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066982.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067017.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067018.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067060.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067061.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067114.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP200\A0067150.dll
Infected! C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP200\A0067151.dll
Infected! C:\WINDOWS\system32\ahrsvc.dll
Infected! C:\WINDOWS\system32\dn2o01f3e.dll
Infected! C:\WINDOWS\system32\gp2ol3f31.dll
Infected! C:\WINDOWS\system32\iGlmrnt5.dll
Infected! C:\WINDOWS\system32\j44o0eh3eh4.dll
Infected! C:\WINDOWS\system32\l0n4la5q1d.dll
Infected! C:\WINDOWS\system32\lvju0919e.dll
Infected! C:\WINDOWS\system32\m8juli1918.dll
Infected! C:\WINDOWS\system32\mv6ul9j91.dll
Infected! C:\WINDOWS\system32\mvl6l93s1.dll
Infected! C:\WINDOWS\system32\mvmtapi.dll
Infected! C:\WINDOWS\system32\p06s0aj7edo.dll
Infected! C:\WINDOWS\system32\p26s0cj7efo.dll
Infected! C:\WINDOWS\system32\vnsapi.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP197\A0059741.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP197\A0059741.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0060783.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0060783.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0060784.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0060784.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061783.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061783.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061788.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061788.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061837.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061837.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061842.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0061842.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0063837.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0063837.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0063887.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0063887.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0065671.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0065671.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0065678.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP198\A0065678.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065708.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065708.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065830.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065830.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065847.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065847.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065849.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065849.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065858.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065858.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065892.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0065892.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066930.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066930.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066932.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066932.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066968.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066968.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066981.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066981.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066982.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0066982.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067017.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067017.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067018.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067018.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067060.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067060.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067061.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067061.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067114.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP199\A0067114.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP200\A0067150.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP200\A0067150.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP200\A0067151.dll
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP200\A0067151.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ahrsvc.dll
C:\WINDOWS\system32\ahrsvc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dn2o01f3e.dll
C:\WINDOWS\system32\dn2o01f3e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gp2ol3f31.dll
C:\WINDOWS\system32\gp2ol3f31.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\iGlmrnt5.dll
C:\WINDOWS\system32\iGlmrnt5.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j44o0eh3eh4.dll
C:\WINDOWS\system32\j44o0eh3eh4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l0n4la5q1d.dll
C:\WINDOWS\system32\l0n4la5q1d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvju0919e.dll
C:\WINDOWS\system32\lvju0919e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\m8juli1918.dll
C:\WINDOWS\system32\m8juli1918.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mv6ul9j91.dll
C:\WINDOWS\system32\mv6ul9j91.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvl6l93s1.dll
C:\WINDOWS\system32\mvl6l93s1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvmtapi.dll
C:\WINDOWS\system32\mvmtapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p06s0aj7edo.dll
C:\WINDOWS\system32\p06s0aj7edo.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p26s0cj7efo.dll
C:\WINDOWS\system32\p26s0cj7efo.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\vnsapi.dll
C:\WINDOWS\system32\vnsapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OemStartMenuData

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3A4A9381-DA4E-44F6-89AD-41344C9581D8}"
HKCR\Clsid\{3A4A9381-DA4E-44F6-89AD-41344C9581D8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{02915E5C-6947-4E35-A8FB-9049BB69806E}"
HKCR\Clsid\{02915E5C-6947-4E35-A8FB-9049BB69806E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D818E02B-6AEB-400D-AAF2-03A65FF6C714}"
HKCR\Clsid\{D818E02B-6AEB-400D-AAF2-03A65FF6C714}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2971BA27-A087-4D96-92FE-91C73D9821B7}"
HKCR\Clsid\{2971BA27-A087-4D96-92FE-91C73D9821B7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BD24A67F-E9D6-4437-AC90-0E73A27D03AA}"
HKCR\Clsid\{BD24A67F-E9D6-4437-AC90-0E73A27D03AA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AC856B3E-EC3E-4EB0-AAD2-01DC33B4E895}"
HKCR\Clsid\{AC856B3E-EC3E-4EB0-AAD2-01DC33B4E895}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

This is the HighJackTHis txt.
Logfile of HijackThis v1.99.1
Scan saved at 7:25:36 PM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\mousepad9.exe
C:\WINDOWS\ms06435217784.exe
C:\WINDOWS\system32\slk8x2peu.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\cinfo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\RUNDLL32.EXE
c:\windows\mousepad10.exe
c:\windows\mousepad10.exe
C:\Program Files\America Online 9.0a\shellmon.exe
c:\program files\common files\aol\1108343333\ee\aolssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1108343333\ee\aexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kqqut.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlxxerr.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [alal] C:\WINDOWS\alal.exe
O4 - HKLM\..\Run: [g31kac73] C:\WINDOWS\system32\g31kac73.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Face Else Meet User] C:\Documents and Settings\All Users\Application Data\less gpl face else\bowsmove.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard10.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad10.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname10.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms06435217784] C:\WINDOWS\ms06435217784.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [{B2-20-07-73-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [w0facd81.dll] RUNDLL32.EXE w0facd81.dll,I2 00008a6100facd81
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [w014b8de.dll] RUNDLL32.EXE w014b8de.dll,I2 00008a610014b8de
O4 - HKLM\..\Run: [w0017c9d.dll] RUNDLL32.EXE w0017c9d.dll,I2 00008a6100017c9d
O4 - HKLM\..\Run: [w0017d68.dll] RUNDLL32.EXE w0017d68.dll,I2 00008a6100017d68
O4 - HKLM\..\Run: [w00b8cc9.dll] RUNDLL32.EXE w00b8cc9.dll,I2 00008a61000b8cc9
O4 - HKLM\..\Run: [w02e5e7b.dll] RUNDLL32.EXE w02e5e7b.dll,I2 00008a61002e5e7b
O4 - HKLM\..\Run: [w00160e7.dll] RUNDLL32.EXE w00160e7.dll,I2 00008a61000160e7
O4 - HKLM\..\Run: [w00177ab.dll] RUNDLL32.EXE w00177ab.dll,I2 00008a61000177ab
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [w0061c64.dll] RUNDLL32.EXE w0061c64.dll,I2 00008a6100061c64
O4 - HKLM\..\Run: [w001486e.dll] RUNDLL32.EXE w001486e.dll,I2 00008a610001486e
O4 - HKLM\..\Run: [w0011920.dll] RUNDLL32.EXE w0011920.dll,I2 00008a6100011920
O4 - HKLM\..\Run: [w0010eff.dll] RUNDLL32.EXE w0010eff.dll,I2 00008a6100010eff
O4 - HKLM\..\Run: [w009a2eb.dll] RUNDLL32.EXE w009a2eb.dll,I2 00008a610009a2eb
O4 - HKLM\..\Run: [w001413a.dll] RUNDLL32.EXE w001413a.dll,I2 00008a610001413a
O4 - HKLM\..\Run: [w00245b9.dll] RUNDLL32.EXE w00245b9.dll,I2 00008a61000245b9
O4 - HKLM\..\Run: [w00140ad.dll] RUNDLL32.EXE w00140ad.dll,I2 00008a61000140ad
O4 - HKLM\..\Run: [w0015186.dll] RUNDLL32.EXE w0015186.dll,I2 00008a6100015186
O4 - HKLM\..\Run: [w02d71aa.dll] RUNDLL32.EXE w02d71aa.dll,I2 00008a61002d71aa
O4 - HKLM\..\Run: [w06f7459.dll] RUNDLL32.EXE w06f7459.dll,I2 00008a61006f7459
O4 - HKLM\..\Run: [w00c89d6.dll] RUNDLL32.EXE w00c89d6.dll,I2 00008a61000c89d6
O4 - HKLM\..\Run: [w001465a.dll] RUNDLL32.EXE w001465a.dll,I2 00008a610001465a
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [3201] C:\DOCUME~1\Owner\APPLIC~1\CHINER~1\64bitstrans.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143406887140
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoenix/4.0.0.33/MusicNow.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\j44o0eh3eh4.dll (file missing)
O20 - Winlogon Notify: kbcmd - C:\WINDOWS\addins\kbcmd.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------------------------------------------------------
After turning my computer back on I still got pop up ads is this ok?


----------



## Byteman (Jan 24, 2002)

*Bump*

Please stick with this thread...I know it's difficult to be patient...hang on.


----------



## incadudeF (Apr 10, 2006)

thanks byteman for telling me that i sorry for posting twice for the same topic. Now i know and i will not do it again.


----------



## Cookiegal (Aug 27, 2003)

As I said previously, your computer is severely infected and the clean up process would involve several steps so please be patient.

*1.* Please download *Ewido Anti-Malware*
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "*Database could not be found!*". Click *OK*. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click *update*.
Then click on *Start Update.*

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
*Exit Ewido, do not run the scan yet!*
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

*2.* Please download *Brute Force Uninstaller* to your desktop.
Right click the BFU folder on your desktop, and choose *Extract All*
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C or whatever your primary drive is 
Click "Make New Folder"
Type in *BFU*
Click "Next", and *Un*check the "Show Extracted Files" box and then click "Finish".
*3.* *RIGHT-CLICK HERE* and choose "Save As" (in IE it's "Save Target As") in order to download Alcra *PLUS* Remover. 
*Save it in the same folder you made earlier (c:\BFU)*.

Do not do anything with these yet!

*Reboot your computer into Safe Mode.* You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

*4.* Once in Safe Mode, Open Ewido:
Click on *scanner*
Click on *Complete System Scan* and the scan will begin.
You will be prompted to clean the first infection.
Select "*Perform action on all infections*", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named *Save report*
Click *Save report*.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

*5.* Then, please go to Start > My Computer and navigate to the C:\BFU folder.
 Start the Brute Force Uninstaller by doubleclicking *BFU.exe*
 In the *scriptline to execute* field type or paste *c:\bfu\alcanshorty.bfu*
 Press *Execute* and let it do its job. (You ought to see a progress bar if you did this correctly.)
Wait for the *complete script execution* box to pop up and press OK.
Press *exit* to terminate the BFU program.
Reboot into normal windows.

Run ActiveScan online virus scan *here*

When the scan is finished, save the results from the scan!

*Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.*


----------



## incadudeF (Apr 10, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 2:31:30 PM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
c:\progra~1\intern~1\iexplore.exe
c:\program files\common files\aol\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\windows\mousepad10.exe
C:\WINDOWS\ms06435217784.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SMANTE~1\iexplore.exe
c:\program files\common files\aol\1108343333\ee\aolssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1108343333\ee\aexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://registernet.passport.net/reg.srf?xpwiz=true&lc=1033&langid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\kqqut.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlxxerr.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll (file missing)
O2 - BHO: (no name) - {F2FA09FB-EE7A-46d8-9145-A1EEF7850052} - C:\WINDOWS\system32\vtutu.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [alal] C:\WINDOWS\alal.exe
O4 - HKLM\..\Run: [g31kac73] C:\WINDOWS\system32\g31kac73.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Face Else Meet User] C:\Documents and Settings\All Users\Application Data\less gpl face else\bowsmove.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad10.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms06435217784] C:\WINDOWS\ms06435217784.exe
O4 - HKLM\..\Run: [{B2-20-07-73-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [w0facd81.dll] RUNDLL32.EXE w0facd81.dll,I2 00008a6100facd81
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [w014b8de.dll] RUNDLL32.EXE w014b8de.dll,I2 00008a610014b8de
O4 - HKLM\..\Run: [w0017c9d.dll] RUNDLL32.EXE w0017c9d.dll,I2 00008a6100017c9d
O4 - HKLM\..\Run: [w0017d68.dll] RUNDLL32.EXE w0017d68.dll,I2 00008a6100017d68
O4 - HKLM\..\Run: [w00b8cc9.dll] RUNDLL32.EXE w00b8cc9.dll,I2 00008a61000b8cc9
O4 - HKLM\..\Run: [w02e5e7b.dll] RUNDLL32.EXE w02e5e7b.dll,I2 00008a61002e5e7b
O4 - HKLM\..\Run: [w00160e7.dll] RUNDLL32.EXE w00160e7.dll,I2 00008a61000160e7
O4 - HKLM\..\Run: [w00177ab.dll] RUNDLL32.EXE w00177ab.dll,I2 00008a61000177ab
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [w0061c64.dll] RUNDLL32.EXE w0061c64.dll,I2 00008a6100061c64
O4 - HKLM\..\Run: [w001486e.dll] RUNDLL32.EXE w001486e.dll,I2 00008a610001486e
O4 - HKLM\..\Run: [w0011920.dll] RUNDLL32.EXE w0011920.dll,I2 00008a6100011920
O4 - HKLM\..\Run: [w0010eff.dll] RUNDLL32.EXE w0010eff.dll,I2 00008a6100010eff
O4 - HKLM\..\Run: [w009a2eb.dll] RUNDLL32.EXE w009a2eb.dll,I2 00008a610009a2eb
O4 - HKLM\..\Run: [w001413a.dll] RUNDLL32.EXE w001413a.dll,I2 00008a610001413a
O4 - HKLM\..\Run: [w00245b9.dll] RUNDLL32.EXE w00245b9.dll,I2 00008a61000245b9
O4 - HKLM\..\Run: [w00140ad.dll] RUNDLL32.EXE w00140ad.dll,I2 00008a61000140ad
O4 - HKLM\..\Run: [w0015186.dll] RUNDLL32.EXE w0015186.dll,I2 00008a6100015186
O4 - HKLM\..\Run: [w02d71aa.dll] RUNDLL32.EXE w02d71aa.dll,I2 00008a61002d71aa
O4 - HKLM\..\Run: [w06f7459.dll] RUNDLL32.EXE w06f7459.dll,I2 00008a61006f7459
O4 - HKLM\..\Run: [w00c89d6.dll] RUNDLL32.EXE w00c89d6.dll,I2 00008a61000c89d6
O4 - HKLM\..\Run: [w001465a.dll] RUNDLL32.EXE w001465a.dll,I2 00008a610001465a
O4 - HKLM\..\Run: [w006a5b8.dll] RUNDLL32.EXE w006a5b8.dll,I2 00008a610006a5b8
O4 - HKLM\..\Run: [w006ce5e.dll] RUNDLL32.EXE w006ce5e.dll,I2 00008a610006ce5e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [3201] C:\DOCUME~1\Melanie\APPLIC~1\CHINER~1\64bitstrans.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [qqok] C:\PROGRA~1\COMMON~1\qqok\qqokm.exe
O4 - HKCU\..\Run: [CU1] 
O4 - HKCU\..\Run: [CU2] 
O4 - HKCU\..\Run: [Rdzrh] C:\Program Files\F?nts\?ttrib.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143406887140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoenix/4.0.0.33/MusicNow.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\j44o0eh3eh4.dll (file missing)
O20 - Winlogon Notify: kbcmd - C:\WINDOWS\addins\kbcmd.dll
O20 - Winlogon Notify: vtutu - C:\WINDOWS\SYSTEM32\vtutu.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## incadudeF (Apr 10, 2006)

I cant post the Report txt and the activescan text What so i do?
Its to big


----------



## Byteman (Jan 24, 2002)

Hi, Try dividing them into two or more posts....or, create a zipped file which will possibly be small enough to post, one log at a time, as .zip attachments to your post. Right click the log, select "add to .zip" name the zipped file and use the Manage Attachments button at the bottom of the Reply page.....browse to the location on your hard drive where the .zip file you made is, and Upload it, and then use the Save button, the attachment will then be available and we can download or open it.
It might be easier to just make two or three replies with the text of the logs pasted....

{Edit> I see that Cookiegal has replied, just follow her directions!}


----------



## Cookiegal (Aug 27, 2003)

Upload them as attachments please.

Click on *Manage Attachments *and then on *browse*. Browse to the files on your computer and click on *upload *and then submit your post.

You can also do this:

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Put a check next to *Run VundoFix as a task.*
You will receive a message saying vundofix will close and re-open in a minute or less. Click *OK*
When VundoFix re-opens, click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click *OK*.
Turn your computer back on.
Please post the contents of C:\*vundofix.txt* and a new HijackThis log.


----------



## incadudeF (Apr 10, 2006)

It still wont allow me to upload the ewido report.


----------



## incadudeF (Apr 10, 2006)

O4 - HKLM\..\Run: [w0017c9d.dll] RUNDLL32.EXE w0017c9d.dll,I2 00008a6100017c9d
THis is popping up when i first log on to my computer what is it?
I was able to get the Active Scan to fit in the post. Should I still download the Vondu FIx?Thank you for helping me get rid of this problem....


----------



## Cookiegal (Aug 27, 2003)

Yes, please run the vundofix and post the log from it.

Please download *Brute Force Uninstaller* to your desktop.
Right click the BFU folder on your desktop, and choose *Extract All*
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C or whatever your primary drive is 
Click "Make New Folder"
Type in *BFU*
Click "Next", and *Un*check the "Show Extracted Files" box and then click "Finish".
*3.* *RIGHT-CLICK HERE* and choose "Save As" (in IE it's "Save Target As") in order to download Alcra *PLUS* Remover. 
*Save it in the same folder you made earlier (c:\BFU)*.

Do not do anything with it yet!

*Reboot your computer into Safe Mode.* You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
 Start the Brute Force Uninstaller by doubleclicking *BFU.exe*
 In the *scriptline to execute* field type or paste *c:\bfu\alcanshorty.bfu*
 Press *Execute* and let it do its job. (You ought to see a progress bar if you did this correctly.)
Wait for the *complete script execution* box to pop up and press OK.
Press *exit* to terminate the BFU program.
Locate the bintheredunthat folder and copy and paste its contents in your next reply along with a new HijackThis log.


----------



## incadudeF (Apr 10, 2006)

VundoFix V4.2.68

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Scan started at 12:13:03 AM 4/13/2006

Listing files found while scanning....

C:\WINDOWS\system32\vtutu.dll

C:\WINDOWS\addins\dmcbk.bak1
C:\WINDOWS\addins\dmcbk.bak2
C:\WINDOWS\addins\dmcbk.ini
C:\WINDOWS\addins\dmcbk.ini2
C:\WINDOWS\addins\kbcmd.dll
C:\WINDOWS\addins\dmcbk.ini2
C:\WINDOWS\addins\dmcbk.bak2
C:\WINDOWS\addins\dmcbk.ini
C:\WINDOWS\addins\dmcbk.ini2
C:\WINDOWS\addins\kbcmd.dll
Attempting to delete C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\vtutu.dll Could not be deleted.

Attempting to delete C:\WINDOWS\addins\dmcbk.bak1
C:\WINDOWS\addins\dmcbk.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\addins\dmcbk.bak2
C:\WINDOWS\addins\dmcbk.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\addins\dmcbk.ini
C:\WINDOWS\addins\dmcbk.ini Has been deleted!

Attempting to delete C:\WINDOWS\addins\dmcbk.ini2
C:\WINDOWS\addins\dmcbk.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\addins\kbcmd.dll
C:\WINDOWS\addins\kbcmd.dll Has been deleted!

Performing Repairs to the registry.
Done!


----------



## Cookiegal (Aug 27, 2003)

> Locate the bintheredunthat folder and copy and paste its contents in your next reply along with a new HijackThis log.


----------



## incadudeF (Apr 10, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 3:33:10 PM, on 4/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ms06435217784.exe
C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
c:\program files\common files\aol\1108343333\ee\aolssc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlxxerr.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [alal] C:\WINDOWS\alal.exe
O4 - HKLM\..\Run: [g31kac73] C:\WINDOWS\system32\g31kac73.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Face Else Meet User] C:\Documents and Settings\All Users\Application Data\less gpl face else\bowsmove.exe
O4 - HKLM\..\Run: [ms06435217784] C:\WINDOWS\ms06435217784.exe
O4 - HKLM\..\Run: [{B2-20-07-73-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [w0facd81.dll] RUNDLL32.EXE w0facd81.dll,I2 00008a6100facd81
O4 - HKLM\..\Run: [w014b8de.dll] RUNDLL32.EXE w014b8de.dll,I2 00008a610014b8de
O4 - HKLM\..\Run: [w0017c9d.dll] RUNDLL32.EXE w0017c9d.dll,I2 00008a6100017c9d
O4 - HKLM\..\Run: [w0017d68.dll] RUNDLL32.EXE w0017d68.dll,I2 00008a6100017d68
O4 - HKLM\..\Run: [w00b8cc9.dll] RUNDLL32.EXE w00b8cc9.dll,I2 00008a61000b8cc9
O4 - HKLM\..\Run: [w02e5e7b.dll] RUNDLL32.EXE w02e5e7b.dll,I2 00008a61002e5e7b
O4 - HKLM\..\Run: [w00160e7.dll] RUNDLL32.EXE w00160e7.dll,I2 00008a61000160e7
O4 - HKLM\..\Run: [w00177ab.dll] RUNDLL32.EXE w00177ab.dll,I2 00008a61000177ab
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [w0061c64.dll] RUNDLL32.EXE w0061c64.dll,I2 00008a6100061c64
O4 - HKLM\..\Run: [w001486e.dll] RUNDLL32.EXE w001486e.dll,I2 00008a610001486e
O4 - HKLM\..\Run: [w0011920.dll] RUNDLL32.EXE w0011920.dll,I2 00008a6100011920
O4 - HKLM\..\Run: [w0010eff.dll] RUNDLL32.EXE w0010eff.dll,I2 00008a6100010eff
O4 - HKLM\..\Run: [w009a2eb.dll] RUNDLL32.EXE w009a2eb.dll,I2 00008a610009a2eb
O4 - HKLM\..\Run: [w001413a.dll] RUNDLL32.EXE w001413a.dll,I2 00008a610001413a
O4 - HKLM\..\Run: [w00245b9.dll] RUNDLL32.EXE w00245b9.dll,I2 00008a61000245b9
O4 - HKLM\..\Run: [w00140ad.dll] RUNDLL32.EXE w00140ad.dll,I2 00008a61000140ad
O4 - HKLM\..\Run: [w0015186.dll] RUNDLL32.EXE w0015186.dll,I2 00008a6100015186
O4 - HKLM\..\Run: [w02d71aa.dll] RUNDLL32.EXE w02d71aa.dll,I2 00008a61002d71aa
O4 - HKLM\..\Run: [w06f7459.dll] RUNDLL32.EXE w06f7459.dll,I2 00008a61006f7459
O4 - HKLM\..\Run: [w00c89d6.dll] RUNDLL32.EXE w00c89d6.dll,I2 00008a61000c89d6
O4 - HKLM\..\Run: [w001465a.dll] RUNDLL32.EXE w001465a.dll,I2 00008a610001465a
O4 - HKLM\..\Run: [w006a5b8.dll] RUNDLL32.EXE w006a5b8.dll,I2 00008a610006a5b8
O4 - HKLM\..\Run: [w006ce5e.dll] RUNDLL32.EXE w006ce5e.dll,I2 00008a610006ce5e
O4 - HKLM\..\Run: [w00248f6.dll] RUNDLL32.EXE w00248f6.dll,I2 00008a61000248f6
O4 - HKLM\..\Run: [w00b34c6.dll] RUNDLL32.EXE w00b34c6.dll,I2 00008a61000b34c6
O4 - HKLM\..\Run: [w00d1c91.dll] RUNDLL32.EXE w00d1c91.dll,I2 00008a61000d1c91
O4 - HKLM\..\Run: [w0023faf.dll] RUNDLL32.EXE w0023faf.dll,I2 00008a6100023faf
O4 - HKLM\..\Run: [w0059a34.dll] RUNDLL32.EXE w0059a34.dll,I2 00008a6100059a34
O4 - HKLM\..\Run: [w03ca13d.dll] RUNDLL32.EXE w03ca13d.dll,I2 00008a61003ca13d
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [w0011690.dll] RUNDLL32.EXE w0011690.dll,I2 00008a6100011690
O4 - HKLM\..\Run: [w0100d31.dll] RUNDLL32.EXE w0100d31.dll,I2 00008a6100100d31
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [3201] C:\DOCUME~1\Owner\APPLIC~1\CHINER~1\64bitstrans.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [qulju] C:\WINDOWS\system32\uhaqtm.exe reg_run
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143406887140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoenix/4.0.0.33/MusicNow.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\j44o0eh3eh4.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\mcafee.com\personal firewall\MPFService.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------------------------------------------------------
The attachment is the bintheredunthat files.


----------



## Cookiegal (Aug 27, 2003)

Rather than zipping and attaching the contents of that folder which contains infected files, please do this:

Open notepad and copy and paste the following bold text in it:

*dir C:\bintheredunthat /a h >> check.txt
start notepad check.txt *

Save this as *check.bat*, choose to save as "all files" and place it on your desktop. 
It should look like a regular file with a gear inside of it.

Double click on it and notepad should open. Copy and paste the contents of it in your next reply please.


----------



## incadudeF (Apr 10, 2006)

Volume in drive C is PRESARIO
Volume Serial Number is 0CFB-2073

Directory of C:\bintheredunthat

04/13/2006 09:02 PM .
04/13/2006 09:02 PM ..
03/30/2006 12:56 PM 38,040 DR140306.exe
03/30/2006 12:52 PM 38,650 sk02.exe
04/13/2006 12:15 AM 51,712 w0011690.dll
04/11/2006 10:46 PM 51,712 w00d1c91.dll
04/13/2006 08:41 PM 51,712 w0100d31.dll
04/12/2006 11:31 AM 51,712 w03ca13d.dll
03/30/2006 12:55 PM 51,712 w0facd81.dll
7 File(s) 335,250 bytes

Directory of C:\Documents and Settings\Owner\Desktop
-----------------------------------------------------------------
here it is


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.

Please run Blacklight beta:

http://www.f-secure.com/blacklight/

Don't let it fix anything but post the log it makes.


----------



## incadudeF (Apr 10, 2006)

THe attachment is the StartupList Log.


----------



## incadudeF (Apr 10, 2006)

I dont know how to show the Backlight Log to you but all i can tell you is that is did not detect anything.


----------



## incadudeF (Apr 10, 2006)

*bump*


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Ad/Remove programs and remove:

AWS (WeatherBug)

Copy everything inside the quote box below (starting with @)and paste it into notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as *remlop.bat* on your desktop.



> @echo off
> cd C:\WINDOWS\Tasks
> attrib -r -s -h A499C38F91867F1B.job
> del A499C38F91867F1B.job
> ...


Double-click remlop.bat A window will open a close quickly, this is normal.

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlxxerr.exe

O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)

O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll (file missing)

O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [alal] C:\WINDOWS\alal.exe

O4 - HKLM\..\Run: [g31kac73] C:\WINDOWS\system32\g31kac73.exe

O4 - HKLM\..\Run: [Face Else Meet User] C:\Documents and Settings\All Users\Application Data\less gpl face else\bowsmove.exe

O4 - HKLM\..\Run: [ms06435217784] C:\WINDOWS\ms06435217784.exe

O4 - HKLM\..\Run: [{B2-20-07-73-ZN}] c:\windows\system32\dwdsregt.exe CORN001

O4 - HKLM\..\Run: [w0facd81.dll] RUNDLL32.EXE w0facd81.dll,I2 00008a6100facd81

O4 - HKLM\..\Run: [w014b8de.dll] RUNDLL32.EXE w014b8de.dll,I2 00008a610014b8de

O4 - HKLM\..\Run: [w0017c9d.dll] RUNDLL32.EXE w0017c9d.dll,I2 00008a6100017c9d

O4 - HKLM\..\Run: [w0017d68.dll] RUNDLL32.EXE w0017d68.dll,I2 00008a6100017d68

O4 - HKLM\..\Run: [w00b8cc9.dll] RUNDLL32.EXE w00b8cc9.dll,I2 00008a61000b8cc9

O4 - HKLM\..\Run: [w02e5e7b.dll] RUNDLL32.EXE w02e5e7b.dll,I2 00008a61002e5e7b

O4 - HKLM\..\Run: [w00160e7.dll] RUNDLL32.EXE w00160e7.dll,I2 00008a61000160e7

O4 - HKLM\..\Run: [w00177ab.dll] RUNDLL32.EXE w00177ab.dll,I2 00008a61000177ab

O4 - HKLM\..\Run: [w0061c64.dll] RUNDLL32.EXE w0061c64.dll,I2 00008a6100061c64

O4 - HKLM\..\Run: [w001486e.dll] RUNDLL32.EXE w001486e.dll,I2 00008a610001486e

O4 - HKLM\..\Run: [w0011920.dll] RUNDLL32.EXE w0011920.dll,I2 00008a6100011920

O4 - HKLM\..\Run: [w0010eff.dll] RUNDLL32.EXE w0010eff.dll,I2 00008a6100010eff

O4 - HKLM\..\Run: [w009a2eb.dll] RUNDLL32.EXE w009a2eb.dll,I2 00008a610009a2eb

O4 - HKLM\..\Run: [w001413a.dll] RUNDLL32.EXE w001413a.dll,I2 00008a610001413a

O4 - HKLM\..\Run: [w00245b9.dll] RUNDLL32.EXE w00245b9.dll,I2 00008a61000245b9

O4 - HKLM\..\Run: [w00140ad.dll] RUNDLL32.EXE w00140ad.dll,I2 00008a61000140ad

O4 - HKLM\..\Run: [w0015186.dll] RUNDLL32.EXE w0015186.dll,I2 00008a6100015186

O4 - HKLM\..\Run: [w02d71aa.dll] RUNDLL32.EXE w02d71aa.dll,I2 00008a61002d71aa

O4 - HKLM\..\Run: [w06f7459.dll] RUNDLL32.EXE w06f7459.dll,I2 00008a61006f7459

O4 - HKLM\..\Run: [w00c89d6.dll] RUNDLL32.EXE w00c89d6.dll,I2 00008a61000c89d6

O4 - HKLM\..\Run: [w001465a.dll] RUNDLL32.EXE w001465a.dll,I2 00008a610001465a

O4 - HKLM\..\Run: [w006a5b8.dll] RUNDLL32.EXE w006a5b8.dll,I2 00008a610006a5b8

O4 - HKLM\..\Run: [w006ce5e.dll] RUNDLL32.EXE w006ce5e.dll,I2 00008a610006ce5e

O4 - HKLM\..\Run: [w00248f6.dll] RUNDLL32.EXE w00248f6.dll,I2 00008a61000248f6

O4 - HKLM\..\Run: [w00b34c6.dll] RUNDLL32.EXE w00b34c6.dll,I2 00008a61000b34c6

O4 - HKLM\..\Run: [w00d1c91.dll] RUNDLL32.EXE w00d1c91.dll,I2 00008a61000d1c91

O4 - HKLM\..\Run: [w0023faf.dll] RUNDLL32.EXE w0023faf.dll,I2 00008a6100023faf

O4 - HKLM\..\Run: [w0059a34.dll] RUNDLL32.EXE w0059a34.dll,I2 00008a6100059a34

O4 - HKLM\..\Run: [w03ca13d.dll] RUNDLL32.EXE w03ca13d.dll,I2 00008a61003ca13d

O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe

O4 - HKLM\..\Run: [w0011690.dll] RUNDLL32.EXE w0011690.dll,I2 00008a6100011690

O4 - HKLM\..\Run: [w0100d31.dll] RUNDLL32.EXE w0100d31.dll,I2 00008a6100100d31

O4 - HKCU\..\Run: [3201] 
C:\DOCUME~1\Owner\APPLIC~1\CHINER~1\64bitstrans.exe

O4 - HKCU\..\Run: [qulju] C:\WINDOWS\system32\uhaqtm.exe reg_run

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

O18 - Filter: text/html - (no CLSID) - (no file)

O20 - Winlogon Notify: IntlRun - C:\WINDOWS\system32\j44o0eh3eh4.dll (file missing)
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\system32\vlxxerr.exe

C:\WINDOWS\alal.exe

C:\WINDOWS\system32\g31kac73.exe

C:\Documents and Settings\All Users\Application Data\less gpl face else\bowsmove.exe

C:\Documents and Settings\All Users\Application Data\less gpl face else

C:\WINDOWS\ms06435217784.exe

c:\windows\system32\dwdsregt.exe

C:\WINDOWS\ms06435217784.exe

c:\windows\system32\w0facd81.dll

c:\windows\system32\w014b8de.dll

c:\windows\system32\w0017c9d.dll

c:\windows\system32\w0017d68.dll

c:\windows\system32\w00b8cc9.dll

c:\windows\system32\w02e5e7b.dll

c:\windows\system32\w00160e7.dll

c:\windows\system32\w00177ab.dll

c:\windows\system32\w0061c64.dll

c:\windows\system32\w001486e.dll

c:\windows\system32\w0011920.dll

c:\windows\system32\w0010eff.dll

c:\windows\system32\w009a2eb.dll

c:\windows\system32\w001413a.dll

c:\windows\system32\w00245b9.dll

c:\windows\system32\w00140ad.dll

c:\windows\system32\w0015186.dll

c:\windows\system32\w02d71aa.dll

c:\windows\system32\w06f7459.dll

c:\windows\system32\w00c89d6.dll

c:\windows\system32\w001465a.dll

c:\windows\system32\w006a5b8.dll

c:\windows\system32\w006ce5e.dll

c:\windows\system32\w00248f6.dll

c:\windows\system32\w00b34c6.dll

c:\windows\system32\w00d1c91.dll

c:\windows\system32\w0023faf.dll

c:\windows\system32\w0059a34.dll

c:\windows\system32\w03ca13d.dll

c:\windows\system32\w0011690.dll

c:\windows\system32\w0100d31.dll

C:\DOCUME~1\Owner\APPLIC~1\CHINER~1\64bitstrans.exe

C:\WINDOWS\system32\uhaqtm.exe

C:\WINDOWS\system32\dmonwv.dll

C:\DOCUME~1\Owner\APPLIC~1\CHINER~1\64bitstrans.exe

C:\PROGRA~1\TOOLBA~1\
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log please.


----------



## incadudeF (Apr 10, 2006)

1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

I cant find this on HJT.


----------



## Cookiegal (Aug 27, 2003)

Then just proceed witih the rest.


----------



## incadudeF (Apr 10, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 1:54:22 PM, on 4/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\shellmon.exe
c:\program files\common files\aol\1108343333\ee\aolssc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143406887140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoenix/4.0.0.33/MusicNow.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## incadudeF (Apr 10, 2006)

When using Killbox it said that all of the file were missing except for 4 files.


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and have it fix this entry:

O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)

Boot to safe mode and run Killbox on this:

*C:\PROGRA~1\TOOLBA~1*

I recommend you get rid of BearShare and Warez as they are the source of many infections.

You should also uninstall WildTangent.

How are things running now?


----------



## incadudeF (Apr 10, 2006)

First of all i want to thank you for helping me. Without your help i would have never been able to get rid of this. I am going to donate as soon as possible and i will recommend this site to everyone i know. (I recommended JGAR already.) Everything is working great. NO more pop ups. Thank YOU. ALso i hope you have a great easter. 



When i used killbox 
C:\PROGRA~1\TOOLBA~1
did not exist.


P.S. This site should be called Tech Support Gal Forums.


----------



## incadudeF (Apr 10, 2006)

another quick question. When Ewido finds something should block and Clean? Also i deleted bearshare and warez along time ago is something wrong?


----------



## Cookiegal (Aug 27, 2003)

I forgot to have you run Killbox on this file that could not be deleted by the vundofix:

Please do so in safe mode.

*C:\WINDOWS\system32\vtutu.dll*

The following entries in your HijackThis log indicate that Warez and BearShare are still there. See if there are entries for them in the Control Panel - Add/Remove programs and if so, uninstall them there. If not, delete their folders in Program Files.

*C:\Program Files\Warez P2P Client

C:\Program Files\BearShare*

You can allow Ewido to disinfect whatever it finds.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## incadudeF (Apr 10, 2006)

SHould I be worried?????

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:14:35 PM, 4/17/2006
+ Report-Checksum: 8B0A7B6A

+ Scan result:

HKU\S-1-5-21-2843946056-206190664-130944062-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1C044AAD-7955-4CBD-8175-501A165C4E5D} -> Trojan.Conhook.b : Cleaned with backup
HKU\S-1-5-21-2843946056-206190664-130944062-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} -> Adware.ZangoSearch : Cleaned with backup
HKU\S-1-5-21-2843946056-206190664-130944062-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-2843946056-206190664-130944062-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B8B55274-0F9A-41E5-9067-A3539BD9E860} -> Trojan.Agent.dj : Cleaned with backup
C:\WINDOWS\ms064352177842006.exe -> Adware.Enbrow : Cleaned with backup
C:\WINDOWS\system32\aeotf.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\boaqkud.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__boaqkud.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

::Report End


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

Download *Track qoo*
Save it somewhere you will remember like the *Desktop*


Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Double click *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient!*
Once the Scan is Complete
Go to the *WinPFind folder*
Locate *WinPFind.txt*
Place those results in the next post!


Reboot back to Normal Mode!

Double Click on "*Track qoo.vbs*"

Note - If your Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and paste them in your next post along with the results of WinPFind!


----------



## incadudeF (Apr 10, 2006)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 9/20/2004 10:03:30 PM 18432 C:\WINDOWS\ss3unstl.exe

Checking %System% folder...
UPX! 9/1/2004 7:49:56 AM 284672 C:\WINDOWS\SYSTEM32\avisynth.dll
UPX! 9/20/2004 10:03:26 PM 2057664 C:\WINDOWS\SYSTEM32\Coastal Screensaver.scr
PEC2 8/16/2003 12:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
SAHAgent 8/4/2005 6:33:48 PM 3598 C:\WINDOWS\SYSTEM32\g31kac73.ini
PECompact2 4/6/2006 12:48:38 PM 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/6/2006 12:48:38 PM 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
SAHAgent 7/18/2005 12:59:56 AM 35 C:\WINDOWS\SYSTEM32\r9uk4a46.ini
Umonitor 8/4/2004 12:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 7/18/2005 12:59:56 AM 35 C:\WINDOWS\SYSTEM32\u4289u74.ini
winsync 8/15/2003 7:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

qoologic 4/1/2006 2:34:40 PM 33628 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.hye
urllogic 4/1/2006 2:34:40 PM 33628 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.hye
abetterinternet.com 4/1/2006 2:34:40 PM 33628 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.hye
qoologic 4/1/2006 12:25:24 PM 33628 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.zcr
urllogic 4/1/2006 12:25:24 PM 33628 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.zcr
abetterinternet.com 4/1/2006 12:25:24 PM 33628 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.zcr

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/18/2006 8:35:54 PM S 2048 C:\WINDOWS\bootstat.dat
4/9/2006 9:05:32 PM H 54156 C:\WINDOWS\QTFont.qfn
3/27/2006 12:39:22 AM H 0 C:\WINDOWS\inf\oem41.inf
3/28/2006 3:47:02 PM H 24277 C:\WINDOWS\system32\LMPDP.GID
4/10/2006 7:17:36 PM S 13249 C:\WINDOWS\system32\CatRoot\TMP304.tmp
3/22/2006 4:17:30 PM S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
3/22/2006 11:15:38 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911562.cat
3/13/2006 4:45:34 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
3/17/2006 2:24:26 AM S 12455 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567.cat
3/30/2006 3:03:56 AM S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
4/18/2006 8:35:44 PM H 8192 C:\WINDOWS\system32\config\default.LOG
4/18/2006 8:36:38 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
4/18/2006 8:35:54 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
4/18/2006 8:50:04 PM H 225280 C:\WINDOWS\system32\config\software.LOG
4/18/2006 8:35:58 PM H 1085440 C:\WINDOWS\system32\config\system.LOG
4/15/2006 3:44:20 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
3/31/2006 11:34:48 AM S 21957 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
3/31/2006 11:34:48 AM S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
3/28/2006 3:31:04 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
3/31/2006 11:34:48 AM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
3/31/2006 11:34:48 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
3/28/2006 3:31:04 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
3/16/2006 1:47:56 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\1c25ec1d-6494-47a1-84c1-cc2d50d4840e
3/16/2006 1:47:56 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
4/18/2006 8:34:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Realtek Semiconductor Corp. 9/20/2004 4:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 4:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 6:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 6:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 5:20:50 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 7:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/15/2003 6:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/15/2003 6:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/15/2003 7:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 6:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 1:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0017\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/11/2004 8:06:28 PM 1903 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
4/2/2004 12:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
9/11/2004 9:46:10 PM 1604 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lexmark X125 Settings Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 4:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 12:55:28 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
4/2/2004 3:32:38 PM 1560 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

Checking files in %USERPROFILE%\Application Data folder...

Items found in C:\Documents and Settings\Owner\Application Data\.googlewebacchosts

4/1/2006 2:30:32 PM 954 C:\Documents and Settings\Owner\Application Data\.googlewebacchosts
4/2/2004 4:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
4/7/2006 5:38:50 PM 268 C:\Documents and Settings\Owner\Application Data\LMCPaper.dat
4/7/2006 5:38:50 PM 3932 C:\Documents and Settings\Owner\Application Data\LMLayout.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
= C:\WINDOWS\system32\dmonwv.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
Comcast Toolbar = C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar	: C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar	: C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} = Comcast Toolbar	: C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = : 
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = : 
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar	: C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} = : 
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = : 
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar	: C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} = Comcast Toolbar	: C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
hpsysdrv	c:\windows\system\hpsysdrv.exe
KBD	C:\HP\KBD\KBD.EXE
Recguard	C:\WINDOWS\SMINST\RECGUARD.EXE
VTTimer	VTTimer.exe
AGRSMMSG	AGRSMMSG.exe
PS2	C:\WINDOWS\system32\ps2.exe
ABBYY Community Agent	C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
UpdateManager	"c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
HostManager	C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
AOLDialer	C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
Pure Networks Port Magic	"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
Creative WebCam Tray	C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
BearShare	"C:\Program Files\BearShare\BearShare.exe" /pause
D-Link AirPlus G	C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
ANIWZCS2Service	C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
TkBellExe	"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SsAAD.exe	C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
AOLSPScheduler	C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
sscRun	C:\Program Files\Common Files\AOL\1108343333\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RecordNow!	
ctfmon.exe	C:\WINDOWS\system32\ctfmon.exe
warez	"C:\Program Files\Warez P2P Client\warez.exe" -h
AOL Fast Start	"C:\Program Files\America Online 9.0a\AOL.EXE" -b

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/18/2006 8:55:48 PM


----------



## incadudeF (Apr 10, 2006)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ABBYY Community Agent"="C:\\Program Files\\ABBYY FineReader 5.0 Sprint\\CAgent.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1108343333\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"Creative WebCam Tray"="C:\\Program Files\\Creative\\WebCam Control\\CAMTRAY.EXE"
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"AOLSPScheduler"="C:\\Program Files\\Common Files\\AOL\\1108343333\\ee\\services\\sscAntiSpywarePlugin\\ver1_10_3_1\\AOLSP Scheduler.exe"
"sscRun"="C:\\Program Files\\Common Files\\AOL\\1108343333\\ee\\services\\sscFirewallPlugin\\ver1_10_3_1\\SSCRun.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido anti-malware\context.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {CE3A44D8-BC88-4D62-A890-42D96245F8D6}
C:\WINDOWS\system32\dmonwv.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
Lexmark X125 Settings Utility.lnk
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
Lexmark X125 Settings Utility.lnk
desktop.ini
IMStart.lnk
==============================
C:\WINDOWS\system32 cpl files

ALSNDMGR.CPL Realtek Semiconductor Corp.
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on these files:

C:\WINDOWS\SYSTEM32\g31kac73.ini

C:\WINDOWS\ss3unstl.exe

C:\WINDOWS\SYSTEM32\r9uk4a46.ini

C:\WINDOWS\SYSTEM32\u4289u74.ini

C:\WINDOWS\system32\dmonwv.dll


----------



## Cookiegal (Aug 27, 2003)

Also, let's see a new HijackThis log please.


----------



## incadudeF (Apr 10, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 10:48:44 PM, on 4/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1108343333\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143406887140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoenix/4.0.0.33/MusicNow.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## incadudeF (Apr 10, 2006)

Im sorry i havent responded in awhile it was because of star testing week in school. 
I ran killbox on the things you told me to. This file was not found.

C:\WINDOWS\system32\dmonwv.dll


----------



## wdm2291 (Nov 5, 2004)

Hi incadudeF

Cookiegal is offline at the moment, apparently. But in the meantime, you really should go in and delete those two folders she suggested you get rid of:

C:\Program Files\*BearShare*
C:\Program Files\*Warez P2P Client*

You'll save yourself a lot of trouble by getting rid of them.

Try to remove them in Add/Remove programs (in Control Panel) first, and if they aren't listed in there, then just navigate to the Program Files folder and look for those two folders in there: *BearShare* and *Warez P2P Client* (and delete them).

Other than that, sit tight and she will be back (probably tomorrow) with a response for you.

Wayne


----------



## Cookiegal (Aug 27, 2003)

The log looks good and yes, you should definitely get rid of those P2P programs.

How are things running now?


----------



## incadudeF (Apr 10, 2006)

As i told you before i dont know why the p2p clients are showing up i deleted them along time ago. Thank you cookiegal for 
helping me i really appreciate it. Everything is running alot better.


----------



## wdm2291 (Nov 5, 2004)

Did you delete the folders? Or did you remove them in Add/Remove programs in Control Panel? If you only did one, you probably also need to do the other as well.


Wayne


----------



## Cookiegal (Aug 27, 2003)

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## incadudeF (Apr 10, 2006)

I have another question. When my trial with EWIDO ends can i delete it? I was just wondering because i just bought NORTON INTERNET SECURITY.


----------



## Cookiegal (Aug 27, 2003)

When the trial period ends for Ewido it becomes freeware with some reduced functions but you will still be able to update it and do scans. I recommend that you keep it.


----------



## incadudeF (Apr 10, 2006)

Ive recently noticed that it takes my PC a long time to load up. I was just wondering if anything was affecting it. Before, it use to not take as long. Is there anyway i could check it.


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log and be sure to enable everything in msconfig before scanning.


----------



## incadudeF (Apr 10, 2006)

how do i do this?


----------



## incadudeF (Apr 10, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 10:00:59 PM, on 5/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:0/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108343333\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143406887140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A9DD5FE2-5567-4983-971F-C792375025A6} (PhoenixBody Class) - http://software.musicnow.com/musicnow/phoenix/4.0.0.33/MusicNow.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Cookiegal (Aug 27, 2003)

Please run another scan with Ewido and post the results.

Also, please do another on-line scan from Panda and post the results.


----------



## incadudeF (Apr 10, 2006)

i have another computer that is running really slow also what should i do. Should i post a new POst or should i post the HJT log here?


----------



## Cookiegal (Aug 27, 2003)

Please start a new thread for the other computer.


----------



## incadudeF (Apr 10, 2006)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:35:42 AM, 5/8/2006
+ Report-Checksum: 592F7EAE

+ Scan result:

:mozilla.9:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.Estat : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\xpbfauvi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\b7hl034j.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\b7hl034j.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\b7hl034j.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\b7hl034j.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup

::Report End


----------



## Cookiegal (Aug 27, 2003)

And another Panda scan as requested please.


----------



## incadudeF (Apr 10, 2006)

Incident Status Location

Adware:adware/wupd Not disinfected c:\windows\system32\ide21201.vxd 
Adware:adware/comet Not disinfected c:\windows\inf\dm.inf  
Adware:adware/dollarrevenue Not disinfected c:\windows\teller2.chk 
Spyware:spyware/searchcentrix Not disinfected Windows Registry 
Adware:adware program Not disinfected Windows Registry 
Adware:adware/dyfuca Not disinfected Windows Registry 
Adware:adware/sqwire Not disinfected Windows Registry 
Adware:adware/savenow Not disinfected Windows Registry 
Adware:adware/ist.istbar Not disinfected Windows Registry 
Spyware:spyware/virtumonde Not disinfected Windows Registry 
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Melanie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2fd7e25e-6c6dc5d0.zip[Dummy.class] 
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Melanie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-20f0b066-21323341.zip[Dummy.class] 
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Melanie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-2c640267-2b6f5c90.zip[Dummy.class]  
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/SearchingBooth Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt  
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/SearchingBooth Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/CaptNemo Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][4].txt 
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt  
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Peel Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt  
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt 
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt 
Spyware:Cookie/FindtheWebsiteYouNeed Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][1].txt  
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Melanie\Cookies\[email protected][2].txt


----------



## incadudeF (Apr 10, 2006)

Im sorry about taking so long to get you the active scan. Here it is and Thanks.


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on these files:

*c:\windows\system32\ide21201.vxd

c:\windows\inf\dm.inf

c:\windows\teller2.chk *

How's everything running now?


----------

