Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Pop ups are driving me crazy

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Pop ups are driving me crazy

Unread postby Rilo_Kiley » April 4th, 2006, 8:41 pm

Heres the HJT log let me know if you need any other info



Logfile of HijackThis v1.99.1
Scan saved at 5:38:14 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\windows\mousepad8.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\zlmavrvA.exe
C:\WINDOWS\errorhandler.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\lwinqrag.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jpekm.exe
F2 - REG:system.ini: UserInit=userinit.exe,tklowin.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Manager Popup Blocker - {D35D808B-16DD-4572-861B-44966B93247B} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HtFG] C:\WINDOWS\sfmywm.exe
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard8.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad8.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname8.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [w002ce33.dll] RUNDLL32.EXE w002ce33.dll,I2 00009f1a0002ce33
O4 - HKLM\..\Run: [zlmavrvA] C:\WINDOWS\zlmavrvA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [w00164fe.dll] RUNDLL32.EXE w00164fe.dll,I2 00009f1a000164fe
O4 - HKLM\..\Run: [w0019e6d.dll] RUNDLL32.EXE w0019e6d.dll,I2 00009f1a00019e6d
O4 - HKLM\..\Run: [w002f61e.dll] RUNDLL32.EXE w002f61e.dll,I2 00009f1a0002f61e
O4 - HKLM\..\Run: [w001e54a.dll] RUNDLL32.EXE w001e54a.dll,I2 00009f1a0001e54a
O4 - HKLM\..\Run: [w0026690.dll] RUNDLL32.EXE w0026690.dll,I2 00009f1a00026690
O4 - HKLM\..\Run: [w0014178.dll] RUNDLL32.EXE w0014178.dll,I2 00009f1a00014178
O4 - HKLM\..\Run: [w0026bef.dll] RUNDLL32.EXE w0026bef.dll,I2 00009f1a00026bef
O4 - HKLM\..\Run: [w0012f39.dll] RUNDLL32.EXE w0012f39.dll,I2 00009f1a00012f39
O4 - HKLM\..\Run: [w006b8d3.dll] RUNDLL32.EXE w006b8d3.dll,I2 00009f1a0006b8d3
O4 - HKLM\..\Run: [w001a999.dll] RUNDLL32.EXE w001a999.dll,I2 00009f1a0001a999
O4 - HKLM\..\Run: [w001d26e.dll] RUNDLL32.EXE w001d26e.dll,I2 00009f1a0001d26e
O4 - HKLM\..\Run: [w0015ea5.dll] RUNDLL32.EXE w0015ea5.dll,I2 00009f1a00015ea5
O4 - HKLM\..\Run: [w0016184.dll] RUNDLL32.EXE w0016184.dll,I2 00009f1a00016184
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinqrag.exe CORN001
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [EQArticle] "C:\Program Files\EQArticle\EQArticle.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinqrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/r ... nPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: dkmdbifa.dll,Runner.dll,Runner.dll,pceghlfh.dll,EQMini.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\lv4809hue.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\zlmavrv.exe (file missing)
Rilo_Kiley
Active Member
 
Posts: 10
Joined: April 4th, 2006, 8:27 pm
Advertisement
Register to Remove

Unread postby agrarianmonk » April 4th, 2006, 8:45 pm

Hi Rilo_Kiley

Welcome to the Malware Removal forums. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a MR Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby agrarianmonk » April 4th, 2006, 10:11 pm

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

********************************

In your next post, please include:
  • new HijackThis log
  • uninstall list
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Rilo_Kiley » April 5th, 2006, 7:34 pm

StartupList report, 4/5/2006, 4:33:54 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\windows\mousepad8.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\zlmavrvA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\lwinqrag.exe
C:\Program Files\EQArticle\EQArticle.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ron Wells\Start Menu\Programs\Startup]
Zeno.lnk = C:\WINDOWS\system32\lwinqrag.exe
Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe,tklowin.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HtFG = C:\WINDOWS\sfmywm.exe
SaferScan = C:\Program Files\SaferScan\saferscan.exe
SsAAD.exe = C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
IST Service = C:\Program Files\ISTsvc\istsvc.exe
keyboard = C:\windows\keyboard8.exe
mousepad = C:\windows\mousepad8.exe
newname = C:\windows\newname8.exe
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
webHancer Survey Companion = C:\Program Files\webHancer\Programs\whsurvey.exe
q8lg = "C:\WINDOWS\system32\slk8x2peu.exe"
HPHUPD08 = C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
w002ce33.dll = RUNDLL32.EXE w002ce33.dll,I2 00009f1a0002ce33
zlmavrvA = C:\WINDOWS\zlmavrvA.exe
errorhandler = C:\WINDOWS\errorhandler.exe
w00164fe.dll = RUNDLL32.EXE w00164fe.dll,I2 00009f1a000164fe
w0019e6d.dll = RUNDLL32.EXE w0019e6d.dll,I2 00009f1a00019e6d
w002f61e.dll = RUNDLL32.EXE w002f61e.dll,I2 00009f1a0002f61e
w001e54a.dll = RUNDLL32.EXE w001e54a.dll,I2 00009f1a0001e54a
w0026690.dll = RUNDLL32.EXE w0026690.dll,I2 00009f1a00026690
w0014178.dll = RUNDLL32.EXE w0014178.dll,I2 00009f1a00014178
w0026bef.dll = RUNDLL32.EXE w0026bef.dll,I2 00009f1a00026bef
w0012f39.dll = RUNDLL32.EXE w0012f39.dll,I2 00009f1a00012f39
w006b8d3.dll = RUNDLL32.EXE w006b8d3.dll,I2 00009f1a0006b8d3
w001a999.dll = RUNDLL32.EXE w001a999.dll,I2 00009f1a0001a999
w001d26e.dll = RUNDLL32.EXE w001d26e.dll,I2 00009f1a0001d26e
w0015ea5.dll = RUNDLL32.EXE w0015ea5.dll,I2 00009f1a00015ea5
w0016184.dll = RUNDLL32.EXE w0016184.dll,I2 00009f1a00016184
BrowserUpdateSched = C:\WINDOWS\system32\lwinqrag.exe CORN001
w00253f2.dll = RUNDLL32.EXE w00253f2.dll,I2 00009f1a000253f2
w001f42e.dll = RUNDLL32.EXE w001f42e.dll,I2 00009f1a0001f42e

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
EQArticle = "C:\Program Files\EQArticle\EQArticle.exe"
CU1 = C:\Program Files\Common Files\VCClient\VCClient.exe
CU2 = C:\Program Files\Common Files\VCClient\VCMain.exe
EQAdvice = "C:\Program Files\EQAdvice\EQAdvice.exe"

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=dkmdbifa.dll,Runner.dll,Runner.dll,pceghlfh.dll,EQMini.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe, C:\WINDOWS\system32\jpekm.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://active.macromedia.com/director/cabs/sw.cab

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by104fd.bay104.hotmail.msn.com/r ... nPUpld.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/C ... 9264351852

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/get/sh ... wflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\NewDotNet\newdotnet6_38.dll (file MISSING)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\wyd_ci.dll


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

dfrhtm = C:\WINDOWS\system32\dfrhtm.exe
aaai2d = C:\WINDOWS\system32\aaai2d.exe

--------------------------------------------------

End of report, 9,839 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Rilo_Kiley
Active Member
 
Posts: 10
Joined: April 4th, 2006, 8:27 pm

Unread postby agrarianmonk » April 5th, 2006, 7:40 pm

Hi Rilo_Kiley,

I actually need an uninstall list, not a startup log.


Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

********************************

In your next post, please include:
  • new HijackThis log
  • uninstall list
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Rilo_Kiley » April 6th, 2006, 5:01 pm

Sorry :oops:


here is the uninstall list

1 Form Proposal Invoice 1.4
ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0.1
AOL Instant Messenger
ATI Display Driver
avast! Antivirus
BCM V.92 56K Modem
Before You Know It 3.5 Lite
Crazy Poker
Dell AIO Printer A920
Dell ResourceCD
EmpirePoker
Enhanced Ads by Zeno removal
ewido anti-malware
FaxTools
HijackThis 1.99.1
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Jasc Paint Shop Photo Album
Macromedia Shockwave Player
Magic Online
Medal of Honor Allied Assault
Microsoft ActiveX Control Pad
Microsoft Data Access Components KB870669
Microsoft Money 2004 System Pack
Microsoft Office 2000 Premium
Mozilla Firefox (1.5.0.1)
MSN Messenger 7.5
MSXML 4.0 SP2 Parser and SDK
New.net Domains 6.38
Norton AntiVirus 2003
Norton WMI Update
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
PartyPoker
Polaroid iZone PhotoBase
PShow
PSP Max Media Manager
Quicklinks
Quicklinks
QuickTime
RASmon
RealPlayer
SaferScan
Security Manager
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Shareaza version 2.2.1.0
Shockwave
Sonic DLA
Sonic RecordNow!
SonicStage 3.0
SoundMAX
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WordPerfect Office 11
X Access
Yazzle Sudoku by OIN
Zeno Search Assistant removal

Thank you for your patience
Rilo_Kiley
Active Member
 
Posts: 10
Joined: April 4th, 2006, 8:27 pm

Unread postby agrarianmonk » April 6th, 2006, 7:38 pm

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

QuickLinks
Enhanced Ads by Zeno removal
Yazzle Sudoku by OIN
Zeno Search Assistant removal
SaferScan
Viewpoint Manager (Remove Only)
Viewpoint Media Player
New.net Domains 6.38


*In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

Shareaza version 2.2.1.0
*This remove is optional. However, anytime you are running any time of P2P application, you are much more prone to infection by malware.

The following three programs I couldn't find very much information on. If you or someone else did not intentionally install these programs, I would recommend removing them:

RASmon
X Access
PShow


*****************************

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

If you receive, while running option #1, an error similar to:
''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt
the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."
...then please use option 5 or the web page link in the l2mfix folder to solve this error condition.
Then rerun option 1 to be sure it will run without errors.

IMPORTANT: Do NOT run option #2 OR any other options in the l2mfix folder until you are asked to do so!

********************************

In your next post, please include:
  • l2mfix log
  • new HijackThis log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Rilo_Kiley » April 6th, 2006, 11:11 pm

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv4809hue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{63D3A73E-50A4-F923-5D10-13450D8A1C5C}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}"=""
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dzvvox.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}\InprocServer32]
@="C:\\WINDOWS\\system32\\wanetmgr.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
dn6o01~1.dll Wed Apr 5 2006 4:28:10p ..S.R 237,139 231.58 K
e020la~1.dll Tue Apr 4 2006 5:02:08p ..S.R 233,758 228.28 K
eqmini.dll Fri Mar 17 2006 3:49:46p A.... 188,416 184.00 K
fpdrnznx.dll Mon Mar 6 2006 1:29:42p A.... 192,512 188.00 K
fpjo03~1.dll Thu Apr 6 2006 8:59:02a ..S.R 233,404 227.93 K
g2220c~1.dll Tue Apr 4 2006 5:07:10p ..S.R 237,139 231.58 K
hrls05~1.dll Thu Apr 6 2006 12:47:54p ..S.R 233,615 228.14 K
k2pm0c~1.dll Thu Apr 6 2006 2:45:46p ..S.R 237,139 231.58 K
lv0u09~1.dll Wed Apr 5 2006 11:55:30a ..S.R 237,139 231.58 K
lv4809~1.dll Tue Apr 4 2006 4:08:26p ..S.R 237,139 231.58 K
mvrsl9~1.dll Thu Apr 6 2006 7:48:38p ..S.R 234,147 228.66 K
n8n60i~1.dll Thu Apr 6 2006 1:00:44p ..S.R 233,577 228.10 K
px.dll Sun Jan 29 2006 7:54:20p ..... 360,448 352.00 K
pxdrv.dll Sun Jan 29 2006 7:54:20p ..... 397,312 388.00 K
pxmas.dll Sun Jan 29 2006 7:54:20p ..... 155,648 152.00 K
pxwave.dll Sun Jan 29 2006 7:54:20p ..... 339,968 332.00 K
runner.dll Wed Feb 15 2006 11:07:42a A.... 61,440 60.00 K
sporder.dll Tue Mar 14 2006 4:51:10p A.... 8,464 8.27 K
vxblock.dll Sun Jan 29 2006 7:54:20p ..... 28,672 28.00 K
w0012f39.dll Mon Apr 3 2006 12:45:16p A.... 51,712 50.50 K
w0014178.dll Sat Apr 1 2006 3:21:08p A.... 51,712 50.50 K
w0015ea5.dll Tue Apr 4 2006 4:03:38p A.... 51,712 50.50 K
w0016184.dll Tue Apr 4 2006 5:03:20p A.... 51,712 50.50 K
w00164fe.dll Sat Apr 1 2006 9:39:52a A.... 51,712 50.50 K
w001651d.dll Thu Apr 6 2006 2:54:12p A.... 51,712 50.50 K
w0018c9b.dll Thu Apr 6 2006 1:02:02p A.... 51,712 50.50 K
w00190d1.dll Thu Apr 6 2006 7:49:56p A.... 51,712 50.50 K
w0019e6d.dll Sat Apr 1 2006 9:49:00a A.... 51,712 50.50 K
w001a999.dll Mon Apr 3 2006 7:22:36p A.... 51,712 50.50 K
w001d26e.dll Tue Apr 4 2006 10:36:28a A.... 51,712 50.50 K
w001dd6a.dll Thu Apr 6 2006 12:49:30p A.... 51,712 50.50 K
w001e54a.dll Sat Apr 1 2006 12:09:44p A.... 51,712 50.50 K
w001ee72.dll Thu Apr 6 2006 9:00:42a A.... 51,712 50.50 K
w001f42e.dll Wed Apr 5 2006 4:27:54p A.... 51,712 50.50 K
w00253f2.dll Wed Apr 5 2006 11:53:36a A.... 51,712 50.50 K
w0026690.dll Sat Apr 1 2006 3:09:00p A.... 51,712 50.50 K
w0026bef.dll Sat Apr 1 2006 8:53:44p A.... 51,712 50.50 K
w002ce33.dll Thu Mar 30 2006 5:20:56p A.... 51,712 50.50 K
w002f61e.dll Sat Apr 1 2006 10:32:22a A.... 51,712 50.50 K
w0032dc8.dll Thu Apr 6 2006 1:08:04a A.... 51,712 50.50 K
w006b8d3.dll Mon Apr 3 2006 4:08:28p A.... 51,712 50.50 K
w9seq.dll Wed Apr 5 2006 11:53:24a A.... 208,896 204.00 K
wanetmgr.dll Thu Apr 6 2006 7:48:38p ..S.R 237,139 231.58 K
ynngely.dll Tue Apr 4 2006 5:02:14p A.... 51,712 50.50 K

44 items found: 44 files (11 H/S), 0 directories.
Total of file sizes: 5,722,487 bytes 5.46 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is CCB3-C55B

Directory of C:\WINDOWS\System32

04/06/2006 07:48 PM 237,139 wanetmgr.dll
04/06/2006 07:48 PM 234,147 mvrsl9971.dll
04/06/2006 02:45 PM 237,139 k2pm0c71ef.dll
04/06/2006 01:00 PM 233,577 n8n60i5se8.dll
04/06/2006 12:47 PM 233,615 hrls0537e.dll
04/06/2006 08:59 AM 233,404 fpjo0313e.dll
04/05/2006 04:28 PM 237,139 dn6o01j3e.dll
04/05/2006 11:55 AM 237,139 lv0u09d9e.dll
04/04/2006 05:07 PM 237,139 g2220cfoef2c0.dll
04/04/2006 05:02 PM 233,758 e020lafm1d2a.dll
04/04/2006 04:08 PM 237,139 lv4809hue.dll
03/28/2006 04:47 AM <DIR> dllcache
12/22/2005 06:14 PM 482,408 pqtwa.ini2
12/22/2005 06:07 PM 403,271 pqtwa.bak2
12/16/2005 10:47 AM 846 Kqh77.gfa
12/16/2005 09:31 AM 512 Rwo0Z5.42o
12/11/2005 05:06 AM 449,923 pqtwa.bak1
11/14/2005 10:15 PM 466,725 pqtwa.tmp
11/13/2005 10:42 PM 482,762 pqtwa.ini
07/01/2004 09:58 PM <DIR> Microsoft
07/16/2003 11:04 PM 846 IpuFld.016
12/03/2002 10:52 PM 512 FmsCj.b90
20 File(s) 4,879,140 bytes
2 Dir(s) 16,981,061,632 bytes free







Logfile of HijackThis v1.99.1
Scan saved at 8:10:47 PM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\windows\mousepad9.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\zlmavrvA.exe
C:\WINDOWS\errorhandler.exe
C:\Program Files\EQBranch\EQBranch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jpekm.exe
F2 - REG:system.ini: UserInit=userinit.exe,tklowin.exe
O3 - Toolbar: Security Manager Popup Blocker - {D35D808B-16DD-4572-861B-44966B93247B} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HtFG] C:\WINDOWS\sfmywm.exe
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [w002ce33.dll] RUNDLL32.EXE w002ce33.dll,I2 00009f1a0002ce33
O4 - HKLM\..\Run: [zlmavrvA] C:\WINDOWS\zlmavrvA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [w00164fe.dll] RUNDLL32.EXE w00164fe.dll,I2 00009f1a000164fe
O4 - HKLM\..\Run: [w0019e6d.dll] RUNDLL32.EXE w0019e6d.dll,I2 00009f1a00019e6d
O4 - HKLM\..\Run: [w002f61e.dll] RUNDLL32.EXE w002f61e.dll,I2 00009f1a0002f61e
O4 - HKLM\..\Run: [w001e54a.dll] RUNDLL32.EXE w001e54a.dll,I2 00009f1a0001e54a
O4 - HKLM\..\Run: [w0026690.dll] RUNDLL32.EXE w0026690.dll,I2 00009f1a00026690
O4 - HKLM\..\Run: [w0014178.dll] RUNDLL32.EXE w0014178.dll,I2 00009f1a00014178
O4 - HKLM\..\Run: [w0026bef.dll] RUNDLL32.EXE w0026bef.dll,I2 00009f1a00026bef
O4 - HKLM\..\Run: [w0012f39.dll] RUNDLL32.EXE w0012f39.dll,I2 00009f1a00012f39
O4 - HKLM\..\Run: [w006b8d3.dll] RUNDLL32.EXE w006b8d3.dll,I2 00009f1a0006b8d3
O4 - HKLM\..\Run: [w001a999.dll] RUNDLL32.EXE w001a999.dll,I2 00009f1a0001a999
O4 - HKLM\..\Run: [w001d26e.dll] RUNDLL32.EXE w001d26e.dll,I2 00009f1a0001d26e
O4 - HKLM\..\Run: [w0015ea5.dll] RUNDLL32.EXE w0015ea5.dll,I2 00009f1a00015ea5
O4 - HKLM\..\Run: [w0016184.dll] RUNDLL32.EXE w0016184.dll,I2 00009f1a00016184
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinqrag.exe CORN001
O4 - HKLM\..\Run: [w00253f2.dll] RUNDLL32.EXE w00253f2.dll,I2 00009f1a000253f2
O4 - HKLM\..\Run: [w001f42e.dll] RUNDLL32.EXE w001f42e.dll,I2 00009f1a0001f42e
O4 - HKLM\..\Run: [w0032dc8.dll] RUNDLL32.EXE w0032dc8.dll,I2 00009f1a00032dc8
O4 - HKLM\..\Run: [w001ee72.dll] RUNDLL32.EXE w001ee72.dll,I2 00009f1a0001ee72
O4 - HKLM\..\Run: [w001dd6a.dll] RUNDLL32.EXE w001dd6a.dll,I2 00009f1a0001dd6a
O4 - HKLM\..\Run: [w0018c9b.dll] RUNDLL32.EXE w0018c9b.dll,I2 00009f1a00018c9b
O4 - HKLM\..\Run: [w001651d.dll] RUNDLL32.EXE w001651d.dll,I2 00009f1a0001651d
O4 - HKLM\..\Run: [w00190d1.dll] RUNDLL32.EXE w00190d1.dll,I2 00009f1a000190d1
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinqrag.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/r ... nPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: dkmdbifa.dll,Runner.dll,Runner.dll,pceghlfh.dll,EQMini.dll
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\lv4809hue.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\zlmavrv.exe (file missing)
Rilo_Kiley
Active Member
 
Posts: 10
Joined: April 4th, 2006, 8:27 pm

Unread postby agrarianmonk » April 7th, 2006, 12:49 am

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Note : Once the pc has restarted if a log does not appear or the icons didn't dissappear, run the "second.bat" located inside the L2mfix folder.

********************************

You have a NewDotNet infection.

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

*******************************

In your next post, please include:
  • l2mfix log
  • new HijackThis log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Rilo_Kiley » April 7th, 2006, 2:40 am

L2mfix 032106
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 600 'smss.exe'
Killing PID 600 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 672 'winlogon.exe'
Killing PID 672 'winlogon.exe'
Killing PID 672 'winlogon.exe'
Killing PID 672 'winlogon.exe'
Killing PID 672 'winlogon.exe'
Killing PID 672 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'
Killing PID 620 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1676 'rundll32.exe'
Killing PID 1676 'rundll32.exe'
Killing PID 1676 'rundll32.exe'
Killing PID 1676 'rundll32.exe'
Killing PID 3724 'rundll32.exe'
Killing PID 3724 'rundll32.exe'
Killing PID 3724 'rundll32.exe'
Killing PID 3724 'rundll32.exe'
Killing PID 3724 'rundll32.exe'
Killing PID 3724 'rundll32.exe'
Killing PID 3724 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\dEtaclen.dll
Successfully Deleted: C:\WINDOWS\system32\dEtaclen.dll
Deleting: C:\WINDOWS\system32\dn6o01j3e.dll
Successfully Deleted: C:\WINDOWS\system32\dn6o01j3e.dll
Deleting: C:\WINDOWS\system32\e020lafm1d2a.dll
Successfully Deleted: C:\WINDOWS\system32\e020lafm1d2a.dll
Deleting: C:\WINDOWS\system32\fpjo0313e.dll
Successfully Deleted: C:\WINDOWS\system32\fpjo0313e.dll
Deleting: C:\WINDOWS\system32\g2220cfoef2c0.dll
Successfully Deleted: C:\WINDOWS\system32\g2220cfoef2c0.dll
Deleting: C:\WINDOWS\system32\hrls0537e.dll
Successfully Deleted: C:\WINDOWS\system32\hrls0537e.dll
Deleting: C:\WINDOWS\system32\k2pm0c71ef.dll
Successfully Deleted: C:\WINDOWS\system32\k2pm0c71ef.dll
Deleting: C:\WINDOWS\system32\l4r00e9meh.dll
Successfully Deleted: C:\WINDOWS\system32\l4r00e9meh.dll
Deleting: C:\WINDOWS\system32\lv0u09d9e.dll
Successfully Deleted: C:\WINDOWS\system32\lv0u09d9e.dll
Deleting: C:\WINDOWS\system32\lv4809hue.dll
Successfully Deleted: C:\WINDOWS\system32\lv4809hue.dll
Deleting: C:\WINDOWS\system32\mvrsl9971.dll
Successfully Deleted: C:\WINDOWS\system32\mvrsl9971.dll
Deleting: C:\WINDOWS\system32\n8n60i5se8.dll
Successfully Deleted: C:\WINDOWS\system32\n8n60i5se8.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv4809hue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dEtaclen.dll
C:\WINDOWS\system32\dn6o01j3e.dll
C:\WINDOWS\system32\e020lafm1d2a.dll
C:\WINDOWS\system32\fpjo0313e.dll
C:\WINDOWS\system32\g2220cfoef2c0.dll
C:\WINDOWS\system32\hrls0537e.dll
C:\WINDOWS\system32\k2pm0c71ef.dll
C:\WINDOWS\system32\l4r00e9meh.dll
C:\WINDOWS\system32\lv0u09d9e.dll
C:\WINDOWS\system32\lv4809hue.dll
C:\WINDOWS\system32\mvrsl9971.dll
C:\WINDOWS\system32\n8n60i5se8.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}\InprocServer32]
@="C:\\WINDOWS\\system32\\dzvvox.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}\InprocServer32]
@="C:\\WINDOWS\\system32\\dEtaclen.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}"=-
"{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}"=-
[-HKEY_CLASSES_ROOT\CLSID\{312B8D50-B707-4AB2-BFC6-F4163AB9D66E}]
[-HKEY_CLASSES_ROOT\CLSID\{BC7CFEFF-DF17-4EE9-A283-1714AA37575F}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/dEtaclen.dll (164 bytes security) (deflated 5%)
adding: dlls/dn6o01j3e.dll (164 bytes security) (deflated 5%)
adding: dlls/e020lafm1d2a.dll (164 bytes security) (deflated 4%)
adding: dlls/fpjo0313e.dll (164 bytes security) (deflated 4%)
adding: dlls/g2220cfoef2c0.dll (164 bytes security) (deflated 5%)
adding: dlls/hrls0537e.dll (164 bytes security) (deflated 4%)
adding: dlls/k2pm0c71ef.dll (164 bytes security) (deflated 5%)
adding: dlls/l4r00e9meh.dll (164 bytes security) (deflated 6%)
adding: dlls/lv0u09d9e.dll (164 bytes security) (deflated 5%)
adding: dlls/lv4809hue.dll (164 bytes security) (deflated 5%)
adding: dlls/mvrsl9971.dll (164 bytes security) (deflated 4%)
adding: dlls/n8n60i5se8.dll (164 bytes security) (deflated 4%)
adding: backregs/312B8D50-B707-4AB2-BFC6-F4163AB9D66E.reg (188 bytes security) (deflated 70%)
adding: backregs/BC7CFEFF-DF17-4EE9-A283-1714AA37575F.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 88%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)











Logfile of HijackThis v1.99.1
Scan saved at 11:40:26 PM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\windows\mousepad9.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\zlmavrvA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\EQBranch\EQBranch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jpekm.exe
F2 - REG:system.ini: UserInit=userinit.exe,tklowin.exe
O2 - BHO: AuthBHO.cBHO - {C658CEE0-7F43-4B48-AEB5-36EF433513AC} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: Security Manager Popup Blocker - {D35D808B-16DD-4572-861B-44966B93247B} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HtFG] C:\WINDOWS\sfmywm.exe
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [w002ce33.dll] RUNDLL32.EXE w002ce33.dll,I2 00009f1a0002ce33
O4 - HKLM\..\Run: [zlmavrvA] C:\WINDOWS\zlmavrvA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [w00164fe.dll] RUNDLL32.EXE w00164fe.dll,I2 00009f1a000164fe
O4 - HKLM\..\Run: [w0019e6d.dll] RUNDLL32.EXE w0019e6d.dll,I2 00009f1a00019e6d
O4 - HKLM\..\Run: [w002f61e.dll] RUNDLL32.EXE w002f61e.dll,I2 00009f1a0002f61e
O4 - HKLM\..\Run: [w001e54a.dll] RUNDLL32.EXE w001e54a.dll,I2 00009f1a0001e54a
O4 - HKLM\..\Run: [w0026690.dll] RUNDLL32.EXE w0026690.dll,I2 00009f1a00026690
O4 - HKLM\..\Run: [w0014178.dll] RUNDLL32.EXE w0014178.dll,I2 00009f1a00014178
O4 - HKLM\..\Run: [w0026bef.dll] RUNDLL32.EXE w0026bef.dll,I2 00009f1a00026bef
O4 - HKLM\..\Run: [w0012f39.dll] RUNDLL32.EXE w0012f39.dll,I2 00009f1a00012f39
O4 - HKLM\..\Run: [w006b8d3.dll] RUNDLL32.EXE w006b8d3.dll,I2 00009f1a0006b8d3
O4 - HKLM\..\Run: [w001a999.dll] RUNDLL32.EXE w001a999.dll,I2 00009f1a0001a999
O4 - HKLM\..\Run: [w001d26e.dll] RUNDLL32.EXE w001d26e.dll,I2 00009f1a0001d26e
O4 - HKLM\..\Run: [w0015ea5.dll] RUNDLL32.EXE w0015ea5.dll,I2 00009f1a00015ea5
O4 - HKLM\..\Run: [w0016184.dll] RUNDLL32.EXE w0016184.dll,I2 00009f1a00016184
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\lwinqrag.exe CORN001
O4 - HKLM\..\Run: [w00253f2.dll] RUNDLL32.EXE w00253f2.dll,I2 00009f1a000253f2
O4 - HKLM\..\Run: [w001f42e.dll] RUNDLL32.EXE w001f42e.dll,I2 00009f1a0001f42e
O4 - HKLM\..\Run: [w0032dc8.dll] RUNDLL32.EXE w0032dc8.dll,I2 00009f1a00032dc8
O4 - HKLM\..\Run: [w001ee72.dll] RUNDLL32.EXE w001ee72.dll,I2 00009f1a0001ee72
O4 - HKLM\..\Run: [w001dd6a.dll] RUNDLL32.EXE w001dd6a.dll,I2 00009f1a0001dd6a
O4 - HKLM\..\Run: [w0018c9b.dll] RUNDLL32.EXE w0018c9b.dll,I2 00009f1a00018c9b
O4 - HKLM\..\Run: [w001651d.dll] RUNDLL32.EXE w001651d.dll,I2 00009f1a0001651d
O4 - HKLM\..\Run: [w00190d1.dll] RUNDLL32.EXE w00190d1.dll,I2 00009f1a000190d1
O4 - HKLM\..\Run: [w0018c5c.dll] RUNDLL32.EXE w0018c5c.dll,I2 00009f1a00018c5c
O4 - HKLM\..\Run: [w0012b7f.dll] RUNDLL32.EXE w0012b7f.dll,I2 00009f1a00012b7f
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinqrag.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/r ... nPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: dkmdbifa.dll,Runner.dll,Runner.dll,pceghlfh.dll,EQMini.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\lv4809hue.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\zlmavrv.exe (file missing)
Rilo_Kiley
Active Member
 
Posts: 10
Joined: April 4th, 2006, 8:27 pm

Unread postby agrarianmonk » April 7th, 2006, 8:00 am

Download FindQoologic.zip save it to your C:\.
http://downloads.subratam.org/Lon/FindQool.zip

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompre ... ation.html

This folder should be present on your C:\
In case it's not present there, move the FindQool folder to C:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens.
Post this in your next reply

***************************************

I notice you already have Ewido Anti-Malware installed:
You will need to update ewido to the latest definition files.
  • Open Ewido, and On the left hand side of the main screen click update.
  • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

*************************************

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

*************************************

Once in Safe Mode, Open Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

************************************

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*************************************
In your next post, please include:
  • new HijackThis log
  • FindQool log
  • Ewido log
  • Kaspersky Log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby agrarianmonk » April 13th, 2006, 11:28 pm

How are you doing w/ the instructions?
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Rilo_Kiley » April 14th, 2006, 8:00 pm

Sorry, have been busy with work. I couldn't get the online virus scan to work. I normally use Firefox anytime I open Internet Explorer 80 or so pop ups immediatley pop up and everything grinds to a halt.

Here is the log file from ewido and the new HJT log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:40:12 AM, 4/10/2006
+ Report-Checksum: DA9F6FCA

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\TContext -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\TContext\cf1 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\TContext\cf2 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\TContext\cf3 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-299502267-1659004503-725345543-1004\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-299502267-1659004503-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-299502267-1659004503-725345543-1004\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
[888] C:\WINDOWS\system32\ynngely.dll -> Downloader.Qoologic.bj : Cleaned with backup
[1132] C:\WINDOWS\system32\w9seq.dll -> Adware.Suggestor : Cleaned with backup
C:\315502.exe -> Trojan.Small : Cleaned with backup
C:\328520.exe -> Trojan.Small : Cleaned with backup
C:\ac2_0003.exe -> Downloader.Small.cpu : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.237:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.259:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.264:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.265:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.266:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.267:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.271:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.282:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.283:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.309:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.311:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.361:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.362:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.374:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.375:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.376:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.453:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.454:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.455:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.456:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.457:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.458:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.459:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.470:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.516:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.517:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.524:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.525:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.526:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.559:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.584:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.585:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.587:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.600:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.603:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.604:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.608:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.632:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.639:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.644:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.645:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.646:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.647:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.648:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.649:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.656:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.687:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.688:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.689:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.690:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.691:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.692:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.693:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.694:C:\Documents and Settings\Ron Wells\Application Data\Mozilla\Firefox\Profiles\fq7051cq.the wells\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Ron Wells\Cookies\ron wells@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/dEtaclen.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/dn6o01j3e.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/e020lafm1d2a.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/fpjo0313e.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/g2220cfoef2c0.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/hrls0537e.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/k2pm0c71ef.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/l4r00e9meh.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/lv0u09d9e.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/lv4809hue.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/mvrsl9971.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/n8n60i5se8.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\dEtaclen.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\dn6o01j3e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\e020lafm1d2a.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\fpjo0313e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\g2220cfoef2c0.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\hrls0537e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\k2pm0c71ef.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\l4r00e9meh.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\lv0u09d9e.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\lv4809hue.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\mvrsl9971.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\dlls\n8n60i5se8.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Desktop\NNuninstall.exe -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\C4C5B.tmp/slk8x2peu.exe -> Adware.Suggestor : Error during cleaning
C:\Documents and Settings\Ron Wells\Local Settings\Temp\C4C5B.tmp/faotvpap7.exe -> Trojan.Runner.h : Error during cleaning
C:\Documents and Settings\Ron Wells\Local Settings\Temp\cln2A.tmp -> Downloader.Dyfuca.ex : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Cookies\ron wells@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f115984.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f130734.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f133046.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f149234.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f154718.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f156421.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f172843.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f178281.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f186453.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f199546.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f218125.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f220687.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f2342421.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f389000.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f73437.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f73890.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f82781.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\gokm.exe -> Downloader.Agent.afi : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\MONEY1.exe -> Downloader.Adload.t : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\optimize.exe -> Downloader.Dyfuca.ex : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\temp.fr7AF6 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\temp.frCB38 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Temporary Internet Files\Content.IE5\3UL9O1LS\ac2[1].txt -> Downloader.Agent.ahv : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Transpd.dll -> Adware.Agent : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temporary Internet Files\Content.IE5\01234567\mediaview[1].cab/elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\Documents and Settings\Ron Wells\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\ac2[1].txt -> Downloader.Agent.ahv : Cleaned with backup
C:\drsmartload1.exe -> Downloader.VB.aad : Cleaned with backup
C:\drsmartload45a.exe -> Downloader.Adload.ai : Cleaned with backup
C:\drsmartload46a.exe -> Downloader.Adload.ab : Cleaned with backup
C:\installerwnus.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\krw1dn.exe -> Downloader.Agent.afi : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Alwil Software\Avast4\DATA\moved\tct101.dll.vir -> Downloader.Dyfuca.eg : Cleaned with backup
C:\Program Files\Alwil Software\Avast4\DATA\moved\tct101[1].dll.vir -> Downloader.Dyfuca.eg : Cleaned with backup
C:\Program Files\Alwil Software\Avast4\DATA\moved\zlmavrv.exe.vir -> Hijacker.VB.ij : Cleaned with backup
C:\Program Files\FCAdvice\FCAdvice.dll -> Adware.CASClient : Cleaned with backup
C:\Program Files\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
C:\Program Files\Internet Optimizer\optimize.exe -> Adware.InternetOptimizer : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\Program Files\Yazzle Sudoku\OINSetup.exe -> Downloader.PurityScan.au : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WHCC2.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\DH.dll -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\keyboard4.exe -> Downloader.VB.zk : Cleaned with backup
C:\WINDOWS\keyboard5.exe -> Downloader.VB.zl : Cleaned with backup
C:\WINDOWS\keyboard6.exe -> Downloader.VB.zo : Cleaned with backup
C:\WINDOWS\keyboard7.exe -> Downloader.VB.zg : Cleaned with backup
C:\WINDOWS\keyboard8.exe -> Downloader.VB.aaa : Cleaned with backup
C:\WINDOWS\keyboard9.exe -> Downloader.VB.aaf : Cleaned with backup
C:\WINDOWS\mousepad4.exe -> Hijacker.VB.lv : Cleaned with backup
C:\WINDOWS\mousepad5.exe -> Hijacker.VB.ly : Cleaned with backup
C:\WINDOWS\mousepad6.exe -> Hijacker.VB.ly : Cleaned with backup
C:\WINDOWS\mousepad7.exe -> Downloader.VB.zw : Cleaned with backup
C:\WINDOWS\mousepad8.exe -> Trojan.VB.ali : Cleaned with backup
C:\WINDOWS\newname4.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINDOWS\newname5.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINDOWS\newname6.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINDOWS\newname7.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINDOWS\newname8.exe -> Downloader.Adload.ae : Cleaned with backup
C:\WINDOWS\newname9.exe -> Downloader.VB.aaf : Cleaned with backup
C:\WINDOWS\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\WINDOWS\system32\cv3wanv28.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\lwinqrag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\w000f8f6.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0012b7f.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0012d16.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0012f39.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0014178.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0015ea5.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0016184.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001628d.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w00164fe.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001651d.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0018c5c.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0018c9b.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w00190d1.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0019e6d.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001a999.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001c54e.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001d26e.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001dd6a.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001e54a.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001ee72.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w001f42e.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w00253f2.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0026690.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0026bef.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w002ce33.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w002f61e.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0032dc8.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w0040423.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w006b8d3.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\w9seq.dll -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\xdcjx.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End



















***********************************************


***********************************************
***********************************************

***********************************************



Logfile of HijackThis v1.99.1
Scan saved at 5:00:41 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\zlmavrvA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\system32\rundll32.exe
C:\windows\system32\qqdsregl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jpekm.exe
F2 - REG:system.ini: UserInit=userinit.exe,tklowin.exe
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: AuthBHO.cBHO - {C658CEE0-7F43-4B48-AEB5-36EF433513AC} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: Security Manager Popup Blocker - {D35D808B-16DD-4572-861B-44966B93247B} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HtFG] C:\WINDOWS\sfmywm.exe
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname11.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [w002ce33.dll] RUNDLL32.EXE w002ce33.dll,I2 00009f1a0002ce33
O4 - HKLM\..\Run: [zlmavrvA] C:\WINDOWS\zlmavrvA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [w00164fe.dll] RUNDLL32.EXE w00164fe.dll,I2 00009f1a000164fe
O4 - HKLM\..\Run: [w0019e6d.dll] RUNDLL32.EXE w0019e6d.dll,I2 00009f1a00019e6d
O4 - HKLM\..\Run: [w002f61e.dll] RUNDLL32.EXE w002f61e.dll,I2 00009f1a0002f61e
O4 - HKLM\..\Run: [w001e54a.dll] RUNDLL32.EXE w001e54a.dll,I2 00009f1a0001e54a
O4 - HKLM\..\Run: [w0026690.dll] RUNDLL32.EXE w0026690.dll,I2 00009f1a00026690
O4 - HKLM\..\Run: [w0014178.dll] RUNDLL32.EXE w0014178.dll,I2 00009f1a00014178
O4 - HKLM\..\Run: [w0026bef.dll] RUNDLL32.EXE w0026bef.dll,I2 00009f1a00026bef
O4 - HKLM\..\Run: [w0012f39.dll] RUNDLL32.EXE w0012f39.dll,I2 00009f1a00012f39
O4 - HKLM\..\Run: [w006b8d3.dll] RUNDLL32.EXE w006b8d3.dll,I2 00009f1a0006b8d3
O4 - HKLM\..\Run: [w001a999.dll] RUNDLL32.EXE w001a999.dll,I2 00009f1a0001a999
O4 - HKLM\..\Run: [w001d26e.dll] RUNDLL32.EXE w001d26e.dll,I2 00009f1a0001d26e
O4 - HKLM\..\Run: [w0015ea5.dll] RUNDLL32.EXE w0015ea5.dll,I2 00009f1a00015ea5
O4 - HKLM\..\Run: [w0016184.dll] RUNDLL32.EXE w0016184.dll,I2 00009f1a00016184
O4 - HKLM\..\Run: [w00253f2.dll] RUNDLL32.EXE w00253f2.dll,I2 00009f1a000253f2
O4 - HKLM\..\Run: [w001f42e.dll] RUNDLL32.EXE w001f42e.dll,I2 00009f1a0001f42e
O4 - HKLM\..\Run: [w0032dc8.dll] RUNDLL32.EXE w0032dc8.dll,I2 00009f1a00032dc8
O4 - HKLM\..\Run: [w001ee72.dll] RUNDLL32.EXE w001ee72.dll,I2 00009f1a0001ee72
O4 - HKLM\..\Run: [w001dd6a.dll] RUNDLL32.EXE w001dd6a.dll,I2 00009f1a0001dd6a
O4 - HKLM\..\Run: [w0018c9b.dll] RUNDLL32.EXE w0018c9b.dll,I2 00009f1a00018c9b
O4 - HKLM\..\Run: [w001651d.dll] RUNDLL32.EXE w001651d.dll,I2 00009f1a0001651d
O4 - HKLM\..\Run: [w00190d1.dll] RUNDLL32.EXE w00190d1.dll,I2 00009f1a000190d1
O4 - HKLM\..\Run: [w0018c5c.dll] RUNDLL32.EXE w0018c5c.dll,I2 00009f1a00018c5c
O4 - HKLM\..\Run: [w0012b7f.dll] RUNDLL32.EXE w0012b7f.dll,I2 00009f1a00012b7f
O4 - HKLM\..\Run: [w0040423.dll] RUNDLL32.EXE w0040423.dll,I2 00009f1a00040423
O4 - HKLM\..\Run: [w0012d16.dll] RUNDLL32.EXE w0012d16.dll,I2 00009f1a00012d16
O4 - HKLM\..\Run: [w001628d.dll] RUNDLL32.EXE w001628d.dll,I2 00009f1a0001628d
O4 - HKLM\..\Run: [w001c54e.dll] RUNDLL32.EXE w001c54e.dll,I2 00009f1a0001c54e
O4 - HKLM\..\Run: [w000f8f6.dll] RUNDLL32.EXE w000f8f6.dll,I2 00009f1a0000f8f6
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [{3C-C5-55-5B-ZN}] C:\windows\system32\qqdsregl.exe CORN001
O4 - HKLM\..\Run: [w004a092.dll] RUNDLL32.EXE w004a092.dll,I2 00009f1a0004a092
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinrrag.exe CORN001
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinrrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/r ... nPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: dkmdbifa.dll,Runner.dll,Runner.dll,pceghlfh.dll,EQMini.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\shecli.dll (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\sUfrdm.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\lv4809hue.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
Rilo_Kiley
Active Member
 
Posts: 10
Joined: April 4th, 2006, 8:27 pm

Unread postby agrarianmonk » April 14th, 2006, 8:31 pm

I understand that you are busy, but in order for me to best help you clean out your computer, you need to respond in a timely manner. The nature of malware is such that it may mutate after extended periods of time. Therefore, instructions that I give now may not be valid or correct in a week. Please help me help you by responding as promptly as you can.

**************************************

You have a NewDotNet infection.

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

*******************************

Download FindQoologic.zip save it to your C:\.
http://downloads.subratam.org/Lon/FindQool.zip

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompre ... ation.html

This folder should be present on your C:\
In case it's not present there, move the FindQool folder to C:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens.
Post this in your next reply

***************************************

I really need you to do an online scan using Internet Explorer. You shouldn't be getting 80 popups now that we've cleaned up a bunch of stuff.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

In your next post, please include:
  • new HijackThis log
  • FindQool log
  • Kaspersky Log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby Rilo_Kiley » April 17th, 2006, 7:09 pm

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, April 17, 2006 1:25:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 16/04/2006
Kaspersky Anti-Virus database records: 188305
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 90113
Number of viruses found: 77
Number of infected objects: 318
Number of suspicious objects: 0
Duration of the scan process: 01:35:47

Infected Object Name / Virus Name / Last Action
C:\ac2_0003.exe Infected: Trojan-Downloader.Win32.Small.cpu skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\arc.zip-53b42299-1b463168.zip.bac_a03192/web.exe/WISE0006.BIN Infected: Trojan.Win32.Revop.e skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\arc.zip-53b42299-1b463168.zip.bac_a03192/web.exe Infected: Trojan.Win32.Revop.e skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\arc.zip-53b42299-1b463168.zip.bac_a03192 ZIP: infected - 2 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\arc.zip-53b42299-1b463168.zip.bac_a03192 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\arc.zip-53b4229a-7d191064.zip.bac_a03192/web.exe/WISE0006.BIN Infected: Trojan.Win32.Revop.e skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\arc.zip-53b4229a-7d191064.zip.bac_a03192/web.exe Infected: Trojan.Win32.Revop.e skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\arc.zip-53b4229a-7d191064.zip.bac_a03192 ZIP: infected - 2 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\arc.zip-53b4229a-7d191064.zip.bac_a03192 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\ATPartners.dll.bac_a03192 Infected: not-a-virus:AdWare.Win32.F1Organizer.c skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\audiosrv.exe.bac_a03192 Infected: not-a-virus:AdWare.Win32.IEDriver.a skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cmappclient.exe.bac_a03192 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\CMMan.exe.bac_a03192 Infected: not-a-virus:AdWare.Win32.CASClient.e skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-4adadbdb-6da00139.zip.bac_a03192/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-4adadbdb-6da00139.zip.bac_a03192/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-4adadbdb-6da00139.zip.bac_a03192/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-4adadbdb-6da00139.zip.bac_a03192 ZIP: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-4adadbdb-6da00139.zip.bac_a03192 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-9275328-57c22615.zip.bac_a03192/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-9275328-57c22615.zip.bac_a03192/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-9275328-57c22615.zip.bac_a03192/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-9275328-57c22615.zip.bac_a03192 ZIP: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-9275328-57c22615.zip.bac_a03192 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-bb80bfb-24aabbcb.zip.bac_a03192/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-bb80bfb-24aabbcb.zip.bac_a03192/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-bb80bfb-24aabbcb.zip.bac_a03192/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-bb80bfb-24aabbcb.zip.bac_a03192 ZIP: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\count.jar-bb80bfb-24aabbcb.zip.bac_a03192 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cpruninst.exe.bac_a03192/WISE0008.BIN Infected: Trojan-Downloader.Win32.Adroar skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cpruninst.exe.bac_a03192/WISE0009.BIN Infected: Trojan-Downloader.Win32.Adroar skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cpruninst.exe.bac_a03192 WiseSFX: infected - 2 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cpruninst.exe.bac_a03192 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cpr_mm2.exe.bac_a03192/WISE0008.BIN Infected: Trojan-Downloader.Win32.Adroar skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cpr_mm2.exe.bac_a03192/WISE0009.BIN Infected: Trojan-Downloader.Win32.Adroar skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cpr_mm2.exe.bac_a03192 WiseSFX: infected - 2 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\cpr_mm2.exe.bac_a03192 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\i87.tmp.bac_a03192 Infected: Trojan-Downloader.Win32.Totavel.a skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\Iel277g.exe.bac_a03192 Infected: Trojan-Downloader.Win32.VB.em skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache14658.tmp.bac_a03192/Jvb.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache14658.tmp.bac_a03192/MyFunction.class Infected: Trojan-Dropper.Java.Small.c skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache14658.tmp.bac_a03192/MainApp.class Infected: Trojan.Java.ClassLoader.f skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache14658.tmp.bac_a03192 ZIP: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache14658.tmp.bac_a03192 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache59592.tmp.bac_a03192/Jvb.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache59592.tmp.bac_a03192/MyFunction.class Infected: Trojan-Dropper.Java.Small.c skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache59592.tmp.bac_a03192/MainApp.class Infected: Trojan.Java.ClassLoader.f skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache59592.tmp.bac_a03192 ZIP: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\jar_cache59592.tmp.bac_a03192 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\javainstaller.jar-31f00109-6ba8e4cf.zip.bac_a03192/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\javainstaller.jar-31f00109-6ba8e4cf.zip.bac_a03192 ZIP: infected - 1 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\javainstaller.jar-31f00109-6ba8e4cf.zip.bac_a03192 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\javainstaller.jar-4514e5ea-3dff9ce9.zip.bac_a03192/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\javainstaller.jar-4514e5ea-3dff9ce9.zip.bac_a03192 ZIP: infected - 1 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\javainstaller.jar-4514e5ea-3dff9ce9.zip.bac_a03192 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\Leaz.exe.bac_a03192 Infected: Trojan-Downloader.Win32.VB.em skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\mrjj.exe.bac_a03192 Infected: Trojan.Win32.LowZones.am skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\MxjQzK.exe.bac_a03192 Infected: Trojan-Downloader.Win32.VB.em skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\nkamcgj.exe.bac_a03192 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\oW3jAxR.exe.bac_a03192 Infected: not-a-virus:AdWare.Win32.WinFetcher.e skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\pi1_25.exe.bac_a03192 Infected: Trojan-Downloader.Win32.Small.afq skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\pshwr.exe.bac_a03192 Infected: not-a-virus:AdWare.Win32.SafeSurfing.s skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\qaamazw.exe.bac_a03192 Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\quhyyaa.exe.bac_a03192 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\s2mg.3.exe.bac_a03192 Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\s3nc.2.exe.bac_a03192 Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\SehNf.exe.bac_a03192 Infected: Trojan-Downloader.Win32.VB.em skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\sj8.4l.exe.bac_a03192 Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\sntaudio.tmp.bac_a03192 Infected: not-a-virus:AdWare.Win32.SafeSurfing.s skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\tfkditt.exe.bac_a03192 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\time.class-50c9903d-41431860.class.bac_a03192 Infected: Trojan-Downloader.Win32.Small.bhf skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\Uah95H5X.exe.bac_a03192 Infected: Trojan-Downloader.Win32.VB.em skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\Xigzh.exe.bac_a03192 Infected: Trojan.Win32.Small.cy skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\XioVQ8t0.exe.bac_a03192 Infected: Trojan-Downloader.Win32.VB.em skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\Ygi78.exe.bac_a03192 Infected: Trojan-Downloader.Win32.VB.em skipped
C:\Documents and Settings\Ron Wells\.housecall\Quarantine\YtawJ.exe.bac_a03192 Infected: Trojan-Downloader.Win32.VB.em skipped
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\ccsetup126.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\ccsetup126.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\ccsetup126.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/dEtaclen.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/dn6o01j3e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/e020lafm1d2a.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/fpjo0313e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/g2220cfoef2c0.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/hrls0537e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/k2pm0c71ef.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/l4r00e9meh.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/lv0u09d9e.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/lv4809hue.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/mvrsl9971.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip/dlls/n8n60i5se8.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\Ron Wells\Desktop\l2mfix\backup.zip ZIP: infected - 12 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\C4C5B.tmp/slk8x2peu.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\C4C5B.tmp/faotvpap7.exe Infected: Trojan.Win32.Runner.h skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\C4C5B.tmp CAB: infected - 2 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\CampusIMFeb.exe/NewExplorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\CampusIMFeb.exe InstallCreator: infected - 1 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\CampusIMFeb.exe UPX: infected - 1 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f149640.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f183687.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f363265.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f406109.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\f8188812.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\M1_SudokuInstaller.exe/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\M1_SudokuInstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Nat2.exe InstallCreator: infected - 2 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Nat2.exe UPX: infected - 2 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Tagasuarus.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Tagasuarus.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Tagasuarus.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Tagasuarus.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\Tagasuarus.exe NSIS: infected - 4 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\transpd.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temp\transpd.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temporary Internet Files\Content.IE5\43U5YAC6\MTE3NDI6ODoxNg[1].exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temporary Internet Files\Content.IE5\6G07X6SW\installerwnus[1].exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temporary Internet Files\Content.IE5\6G07X6SW\stub_113_4_0_4_0[1].exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\Ron Wells\Local Settings\Temporary Internet Files\Content.IE5\AVIAYFG9\Installer[1].exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\DR140306.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\DR140306.exe NSIS: infected - 1 skipped
C:\drsmartload1.exe Infected: Trojan-Downloader.Win32.Adload.ap skipped
C:\drsmartload45a.exe Infected: Trojan-Downloader.Win32.Adload.an skipped
C:\Installer.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\installerwnus.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\MTE3NDI6ODoxNg.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\mti-hits.exe Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\NNSCAA638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\A0099535.dll.vir Infected: Trojan-Downloader.Win32.Dyfuca.eg skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Installer.exe.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\MTE3NDI6ODoxNg.exe.2.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\MTE3NDI6ODoxNg.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\MTE3NDI6ODoxNg[1].exe.2.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\MTE3NDI6ODoxNg[1].exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Setup93.exe.vir/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Setup93.exe.vir/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Setup93.exe.vir/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Setup93.exe.vir/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Setup93.exe.vir NSIS: infected - 4 skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\SS1001[1].exe.vir Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\stub_113_4_0_4_0.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\stub_113_4_0_4_0[1].exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Veracruz.exe.vir/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Veracruz.exe.vir/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Veracruz.exe.vir NSIS: infected - 2 skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Veracruz[1].exe.vir/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Veracruz[1].exe.vir/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\Veracruz[1].exe.vir NSIS: infected - 2 skipped
C:\Program Files\EQAdvice\equpd.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ed skipped
C:\Program Files\EQAdvice\equpd.exe NSIS: infected - 1 skipped
C:\Program Files\EQBranch\EQBranch.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ed skipped
C:\sk02.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\sk02.exe NSIS: infected - 1 skipped
C:\stub_113_4_0_4_0.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP149\A0091326.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP149\A0092326.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP149\A0093326.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP149\A0094326.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP149\A0094492.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095328.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095343.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095344.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095345.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095346.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095347.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095348.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095349.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095350.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095351.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0095352.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP151\A0096551.exe Infected: Trojan-Downloader.Win32.VB.aad skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099554.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099555.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099556.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099557.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099558.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099559.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099559.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099559.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099574.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099580.exe Infected: Trojan-Dropper.Win32.Agent.amf skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099581.exe Infected: Trojan-Dropper.Win32.Agent.amf skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099582.exe Infected: Trojan-Downloader.Win32.Small.cpu skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099583.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099584.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099585.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099586.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099587.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099588.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099589.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099590.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099591.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099592.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099593.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099594.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099595.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099673.exe Infected: Trojan-Downloader.Win32.VB.aad skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099674.exe Infected: Trojan-Downloader.Win32.Adload.ai skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099675.exe Infected: Trojan-Downloader.Win32.Adload.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099676.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099677.exe Infected: Trojan-Downloader.Win32.Agent.agy skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099678.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099679.dll Infected: not-a-virus:AdWare.Win32.CASClient.g skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099680.exe Infected: Trojan-Downloader.Win32.Dyfuca.ex skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099681.exe Infected: Trojan-Downloader.Win32.PurityScan.au skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099682.exe Infected: Trojan-Dropper.Win32.Agent.aie skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099683.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099683.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099683.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099683.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099683.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099683.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099684.dll Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099685.exe Infected: Trojan-Downloader.Win32.VB.zk skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099686.exe Infected: Trojan-Downloader.Win32.VB.zl skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099687.exe Infected: Trojan-Downloader.Win32.VB.zo skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099688.exe Infected: Trojan-Downloader.Win32.VB.zg skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099689.exe Infected: Trojan-Downloader.Win32.VB.aaa skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099690.exe Infected: Trojan-Downloader.Win32.VB.aaf skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099691.exe Infected: Trojan-Clicker.Win32.VB.lv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099692.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099693.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099694.exe Infected: Trojan.Win32.VB.ali skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099695.exe Infected: Trojan.Win32.VB.ali skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099696.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099697.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099698.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099699.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099700.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099701.exe Infected: Trojan-Downloader.Win32.VB.aaf skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099702.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099703.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099704.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.n skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099705.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099706.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099707.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099708.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099709.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099710.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099711.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099712.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099713.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099714.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099715.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099716.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099717.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099718.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099719.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099720.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099721.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099722.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099723.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099724.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099725.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099726.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099727.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099728.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099729.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099730.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099731.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099732.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099733.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099734.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099736.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP153\A0099737.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP154\A0099762.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP154\A0099771.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP154\A0099772.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP154\A0099774.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP154\A0099776.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP156\A0101762.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP158\A0103831.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP158\A0103859.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP158\A0103860.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP158\A0103861.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP158\A0104831.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP159\A0104847.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP159\A0104848.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP159\A0104850.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{1751CA3E-67C9-4457-8832-B2DD7963CD78}\RP159\A0104851.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\visfx500.exe Infected: Trojan-Dropper.Win32.Agent.aie skipped
C:\WHCC2.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\WHCC2.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WHCC2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WHCC2.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WHCC2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WHCC2.exe RarSFX: infected - 5 skipped
C:\WINDOWS\errorhandler.exe Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\WINDOWS\keyboard10.exe Infected: Trojan-Downloader.Win32.Adload.am skipped
C:\WINDOWS\keyboard11.exe Infected: Backdoor.Win32.VB.ary skipped
C:\WINDOWS\mousepad10.exe Infected: Trojan-Clicker.Win32.VB.mo skipped
C:\WINDOWS\mousepad11.exe Infected: Trojan-Clicker.Win32.VB.mo skipped
C:\WINDOWS\mousepad9.exe Infected: Trojan-Clicker.Win32.VB.mo skipped
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\NDNuninstall7_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\WINDOWS\newname10.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\WINDOWS\newname11.exe Infected: Trojan-Downloader.Win32.Adload.ae skipped
C:\WINDOWS\pf78.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINDOWS\pf78.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\pf78.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\pf78.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\pf78.exe NSIS: infected - 4 skipped
C:\WINDOWS\pf78bb.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\pf78bb.exe NSIS: infected - 1 skipped
C:\WINDOWS\SS1001.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\WINDOWS\system32\BMG3b.exe/{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll Infected: Trojan.Win32.VB.aft skipped
C:\WINDOWS\system32\BMG3b.exe InstallCreator: infected - 1 skipped
C:\WINDOWS\system32\BMG3b.exe UPX: infected - 1 skipped
C:\WINDOWS\system32\dmonwv.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\WINDOWS\system32\dwdsregt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped
C:\WINDOWS\system32\fpdrnznx.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\WINDOWS\system32\owinrrag.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.n skipped
C:\WINDOWS\system32\qqdsregl.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped
C:\WINDOWS\system32\w004a092.dll Infected: Trojan-Downloader.Win32.Agent.ahv skipped
C:\WINDOWS\system32\xdcjx.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\WINDOWS\Temp\_avast4_\PxB543.tmp Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\WINDOWS\zlmavrvA.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\ZICORN001.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m skipped

Scan process completed.





Mon 04/17/2006
Running from: C:\Documents and Settings\Ron Wells\Desktop\FindQool\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names
C:\WINDOWS\SYSTEM32\DMONWV.DLL
C:\WINDOWS\UNWN.EXE

MD5 Check....
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\xdcjx.dat
C:\WINDOWS\system32\sgngmd.exe
C:\WINDOWS\system32\jpekm.exe
C:\WINDOWS\system32\ynngely.dll
C:\WINDOWS\system32\tklowin.exe

Files found with locate com.
C:\WINDOWS\SYSTEM32\TKLOWIN.EXE
C:\WINDOWS\SYSTEM32\YNNGELY.DLL
C:\WINDOWS\SYSTEM32\XDCJX.DAT
C:\WINDOWS\SYSTEM32\SGNGMD.EXE
C:\WINDOWS\SYSTEM32\JPEKM.EXE
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\KNYHS.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
03/19/2006 04:11 PM 127,488 knyhs.exe
...

HKEY_LOCAL_MACHINE\software\qstat
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"rwrxmb"="C:\\WINDOWS\\system32\\sgngmd.exe reg_run"
HKCU
"otyyn"="C:\\WINDOWS\\system32\\sgngmd.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\jpekm.exe
userinit REG_SZ userinit.exe,tklowin.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 4/05/2006





Logfile of HijackThis v1.99.1
Scan saved at 4:09:02 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\windows\mousepad11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\zlmavrvA.exe
C:\WINDOWS\errorhandler.exe
C:\windows\system32\qqdsregl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\owinrrag.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ron Wells\Desktop\Anti-malware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jpekm.exe
F2 - REG:system.ini: UserInit=userinit.exe,tklowin.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HtFG] C:\WINDOWS\sfmywm.exe
O4 - HKLM\..\Run: [SaferScan] C:\Program Files\SaferScan\saferscan.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname11.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [w002ce33.dll] RUNDLL32.EXE w002ce33.dll,I2 00009f1a0002ce33
O4 - HKLM\..\Run: [zlmavrvA] C:\WINDOWS\zlmavrvA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [w00164fe.dll] RUNDLL32.EXE w00164fe.dll,I2 00009f1a000164fe
O4 - HKLM\..\Run: [w0019e6d.dll] RUNDLL32.EXE w0019e6d.dll,I2 00009f1a00019e6d
O4 - HKLM\..\Run: [w002f61e.dll] RUNDLL32.EXE w002f61e.dll,I2 00009f1a0002f61e
O4 - HKLM\..\Run: [w001e54a.dll] RUNDLL32.EXE w001e54a.dll,I2 00009f1a0001e54a
O4 - HKLM\..\Run: [w0026690.dll] RUNDLL32.EXE w0026690.dll,I2 00009f1a00026690
O4 - HKLM\..\Run: [w0014178.dll] RUNDLL32.EXE w0014178.dll,I2 00009f1a00014178
O4 - HKLM\..\Run: [w0026bef.dll] RUNDLL32.EXE w0026bef.dll,I2 00009f1a00026bef
O4 - HKLM\..\Run: [w0012f39.dll] RUNDLL32.EXE w0012f39.dll,I2 00009f1a00012f39
O4 - HKLM\..\Run: [w006b8d3.dll] RUNDLL32.EXE w006b8d3.dll,I2 00009f1a0006b8d3
O4 - HKLM\..\Run: [w001a999.dll] RUNDLL32.EXE w001a999.dll,I2 00009f1a0001a999
O4 - HKLM\..\Run: [w001d26e.dll] RUNDLL32.EXE w001d26e.dll,I2 00009f1a0001d26e
O4 - HKLM\..\Run: [w0015ea5.dll] RUNDLL32.EXE w0015ea5.dll,I2 00009f1a00015ea5
O4 - HKLM\..\Run: [w0016184.dll] RUNDLL32.EXE w0016184.dll,I2 00009f1a00016184
O4 - HKLM\..\Run: [w00253f2.dll] RUNDLL32.EXE w00253f2.dll,I2 00009f1a000253f2
O4 - HKLM\..\Run: [w001f42e.dll] RUNDLL32.EXE w001f42e.dll,I2 00009f1a0001f42e
O4 - HKLM\..\Run: [w0032dc8.dll] RUNDLL32.EXE w0032dc8.dll,I2 00009f1a00032dc8
O4 - HKLM\..\Run: [w001ee72.dll] RUNDLL32.EXE w001ee72.dll,I2 00009f1a0001ee72
O4 - HKLM\..\Run: [w001dd6a.dll] RUNDLL32.EXE w001dd6a.dll,I2 00009f1a0001dd6a
O4 - HKLM\..\Run: [w0018c9b.dll] RUNDLL32.EXE w0018c9b.dll,I2 00009f1a00018c9b
O4 - HKLM\..\Run: [w001651d.dll] RUNDLL32.EXE w001651d.dll,I2 00009f1a0001651d
O4 - HKLM\..\Run: [w00190d1.dll] RUNDLL32.EXE w00190d1.dll,I2 00009f1a000190d1
O4 - HKLM\..\Run: [w0018c5c.dll] RUNDLL32.EXE w0018c5c.dll,I2 00009f1a00018c5c
O4 - HKLM\..\Run: [w0012b7f.dll] RUNDLL32.EXE w0012b7f.dll,I2 00009f1a00012b7f
O4 - HKLM\..\Run: [w0040423.dll] RUNDLL32.EXE w0040423.dll,I2 00009f1a00040423
O4 - HKLM\..\Run: [w0012d16.dll] RUNDLL32.EXE w0012d16.dll,I2 00009f1a00012d16
O4 - HKLM\..\Run: [w001628d.dll] RUNDLL32.EXE w001628d.dll,I2 00009f1a0001628d
O4 - HKLM\..\Run: [w001c54e.dll] RUNDLL32.EXE w001c54e.dll,I2 00009f1a0001c54e
O4 - HKLM\..\Run: [w000f8f6.dll] RUNDLL32.EXE w000f8f6.dll,I2 00009f1a0000f8f6
O4 - HKLM\..\Run: [{3C-C5-55-5B-ZN}] C:\windows\system32\qqdsregl.exe CORN001
O4 - HKLM\..\Run: [w004a092.dll] RUNDLL32.EXE w004a092.dll,I2 00009f1a0004a092
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\owinrrag.exe CORN001
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [EQBranch] "C:\Program Files\EQBranch\EQBranch.exe"
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\owinrrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/r ... nPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - AppInit_DLLs: dkmdbifa.dll,Runner.dll,Runner.dll,pceghlfh.dll,EQMini.dll
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\shecli.dll (file missing)
O20 - Winlogon Notify: DH - C:\WINDOWS\system32\sUfrdm.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\lv4809hue.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
Rilo_Kiley
Active Member
 
Posts: 10
Joined: April 4th, 2006, 8:27 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware