0

New guy ....hello all....and thanks for the help I am about to get! Plagued with Aurora, Drpmon and MHTMLRedir problems :mad: .....here's my Hijackthis scan....first time user of the scan and forums.....welcome the advice/tips


Logfile of HijackThis v1.99.1
Scan saved at 2:23:33 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system\lnfkdojmd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
c:\windows\system32\djaqakd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\raui.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [dkhuuet] c:\windows\system32\djaqakd.exe r
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\halpum.exe reg_run
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/c2c/grinstall_c2c1002.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.22/ttinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?325
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\dcdskmgr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

4
Contributors
49
Replies
50
Views
12 Years
Discussion Span
Last Post by crunchie
0

Hi, welcome to the site. :)

Unfortunately, you have more than the Aurora infection. To begin with, please follow these general cleaning procedures to remove (hopefully) most of the "unwanted guests:


1. Run at least two or three of the following online anti-virus/anti-spyware scans and let them fix what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php


2. Download, install, and run the following (free) detection and removal tools (use each program's online update function before running them to make sure you have the most current updates installed).

After each utility completes its fixes, reboot before continuing on to the next utility; have the utilities fix all of the problematic/malicious items they find:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

0

Hmm... It's dark, and I'm posting at the same time as dlh6213. That can only mean one thing:

I should have been in bed 3 hours ago! :eek: :mrgreen:

The Nasties are all yours until tomorrow, Danny; I'm logging off and heading for the Comfy Pillow now...

0

Dave, I deleted my post because yours had more info included, mine was just links to similar info. :)

I saw your name reviewing this thread just as I hit the Post button.

0

I saw your name reviewing this thread just as I hit the Post button.

Speaking of which- I know that definitely meant that I was up too late, but does it also mean that you got up at some unholy early hour just to sneak in a few posts here before work? :cheesy:

0

Speaking of which- I know that definitely meant that I was up too late, but does it also mean that you got up at some unholy early hour just to sneak in a few posts here before work? :cheesy:

No, I did it during my lunch break while at work, that's why they were so short -- I saw how far behind we were and wanted get as many answered as I could.

0

Hi again....thanks for the help dlh6213 et, al.......I followed the steps and it seemed to clean out a lot....but I think I still may have some issues :( ......fyi I had been running the Lavasoft product Ad Aware and Ad Watch as well as Norton Anti Virus (but I think there was some damage done to it by the nasties) .....here's my HJT log.....any additional steps to take? thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:06:07 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
H:\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.22/ttinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?325
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4529/mcfscan.cab
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\dcdskmgr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

0

You will need to disconnect from the internet so you may wish to print these instructions.

Go to Add/Remove Programs in your Control Panel and remove WildTangent (or WT), if present.


Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan in your next reply).

Still in Safe Mode, scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tec...sa/LSSupCtl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.22/ttinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...sa/SymAData.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?325
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...529/mcfscan.cab
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\dcdskmgr.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files and folder:

C:\WINDOWS\Nail.exe
C:\WINDOWS\qbet.exe
C:\windows\SvcProc.exe
C:\WINDOWS\System32\kbdsp.exe
C:\WINDOWS\system32\dcdskmgr.dll

C:\Program Files\WildTangent

Do a search for these files and delete any instances found:

Atrivs.exe
Systb.dll
Winobject.dll
Winserv.exe
Wupdt.exe

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HJT and post a new log along with the Ewido log.

0

Back again...performed the tasks.....had some minor issues

1) my PC kept haning when I was searchin for the files at the end of the list
2) two of the "fixes" from the hijackthis scan that you suggested to "fix" were not present when I ran the scan - the 02- BHO etc and the 023 - Service: System etc

here's my latest HJT and Ewido log....thanks for the help

Logfile of HijackThis v1.99.1
Scan saved at 10:28:14 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\kqdhu.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           8:59:26 PM, 8/2/2005
+ Report-Checksum:      CF9A630D


+ Scan result:


HKLM\SOFTWARE\Bargains -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{12EE7A5E-0674-42f9-A76A-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E004800A-73C6-4587-B855-98D0CE0C16B1} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher\CLSID -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{12EE7A5E-0674-42F9-A76C-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\_ATL_GENERATED.SearchToolbarBHO -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\_ATL_GENERATED.SearchToolbarBHO\CLSID -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\_ATL_GENERATED.SearchToolbarBHO\CurVer -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\_ATL_GENERATED.SearchToolbarName -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\_ATL_GENERATED.SearchToolbarName\CLSID -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\_ATL_GENERATED.SearchToolbarName\CurVer -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\eXactUtil -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12EE7A5E-0674-42f9-A76A-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindowsUpdate -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindowsUpdate\Active -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NaviSearch -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\NaviSearch -> Spyware.NaviSearch : Cleaned with backup
HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\{12EE7A5E-0674-42f9-A76B-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4X4PMV85\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8N8XS7ER\upd207[1].exe -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D3RF5DGE\upd209[1].exe -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E5GXUDOP\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IDGJGNU7\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O3EBADWD\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O3EBADWD\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PWTSGAUZ\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PWTSGAUZ\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPCV2P65\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TS7ABSD7\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TS7ABSD7\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TS7ABSD7\upd208[1].exe -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VQ0FB145\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WVSBIR4F\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Program Files\BullsEye Network\bin\adv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin\adx.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin\bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E0D7F557-4BA5-42D1-8489-40F2BD\59FFAEDD-D338-4E1D-9E8F-672232 -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\S42NS.EXE -> Spyware.MyWay : Cleaned with backup
C:\Program Files\NaviSearch\bin\nls.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00000041.exe -> Spyware.PurityScan : Cleaned with backup
C:\RECYCLER\NPROTECT\00000104.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00000105.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00000106.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00000107.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00000111.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00000112.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00000116.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\RECYCLER\NPROTECT\00000117.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\nqhpozgaz.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ru.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\dcdskmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dEtime.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dtiman32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d : Cleaned with backup
C:\WINDOWS\system32\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exdl1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exdl2.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exul1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\hN23msp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\ljblvs.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\maw3prt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\metime.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mhc71u.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mlutilse.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\msbe.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\mvyuv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\njtapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system32\nvms.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\rvvpperf.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sPfrslv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\stlb2.dll -> TrojanDownloader.Braidupdate.d : Cleaned with backup
C:\WINDOWS\system32\vidctrl\vidctrl.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\WINDOWS\system32\vus_ps.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wfnotify.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wPvemsp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\xndxgqak.exe -> Spyware.BookedSpace : Cleaned with backup



::Report End

Edited by happygeek: fixed formatting

0

Download CCleaner --
http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html -- but don't run it yet.

Go to Add/Remove Programs and remove any of the following found:

BargainBuddy
Look2Me
WildTangent

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\kqdhu.dll

Go to the following locations and delete the highlighted files and folders:

C:\WINDOWS\qbet.exe
C:\WINDOWS\System32\kbdsp.exe
C:\WINDOWS\system32\kqdhu.dll

C:\Program Files\WildTangent
C:\Program Files\BargainBuddy
C:\Program Files\Look2Me

Do a search for atrivs.exe and delete any instances found.

If any of these files cannot be deleted, try booting into Safe Mode first, and then delete them.

Now run CCleaner.

Reboot, close any open browser windows, scan with HJT, and post a new log please.

0

Here's my latest HJT......fyi I did not have the 03 - Toolbar.... entry when I ran the first HJT to have it fix what you suggested...also the only file that I found to remove was the C:\WINDOWS\System32\kqdhu.dll - but I could not delete it even in Safe Mode...thanks for the help...this thing won't go away :evil:


Logfile of HijackThis v1.99.1
Scan saved at 10:50:23 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidesearch.cgi?uid=11606235&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidesearch.cgi?uid=11606235&id=1.20030
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\kqdhu.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

0

Go to Add/Remove Programs and make sure WildTangent has been removed.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...6235&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidese...6235&id=1.20030
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\kqdhu.dll

Remember to close any open windows and hit Fix checked.

Be sure your system is set to 'Show hidden files and folders':
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, go to the following locations and delete the highlighted files and folder:

C:\WINDOWS\qbet.exe
C:\WINDOWS\system32\kqdhu.dll

C:\Program Files\WildTangent

Do a search for atrivs.exe and delete any instances found.

If any of these could not be deleted, open HijackThis and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Type (or copy & paste) the file into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

Reboot into Safe Mode and do another scan with Ewido.

When it's finished, reboot normally, close any open browser windows, scan with HJT, and post a new log along with the Ewido log.

0

Here's the latest HJT log. Of the files that you asked me to delete, the only one that was present was - C:\WINDOWS\system32\kqdhu.dll - but I could NOT delete it even using the method via HJT. Every time I tried to delete it "normally" I kept getting a message that it was in use by another program and could not be deleted. The HJT method appeared that it would work but the file was still there upon reboot. The other files simply were not present. I removed WildTangent via Add/Remove during one of the the previous threads and it does not show up when I go back to the Add/Remove Program - but an error occurs upon every reboot as it still seems to be looking to load it. Thanks for the contiued help......it's still here somewhere - I keep getting bombarded


Logfile of HijackThis v1.99.1
Scan saved at 11:01:47 PM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\rundll32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads2.revenue.net/r?site_id=14146&pplacement_id=1&creative_id=209716
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ppdx5032.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

0

Where's the new Ewido log? :)

Download Killbox -- http://www.downloads.subratam.org/KillBox.zip -- and unzip the file to your Desktop.

Scan with HJT and have it fix the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads2.revenue.net/r?site_id=1...ative_id=209716
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ppdx5032.dll

Close any open windows and hit Fix checked.

Go to C:\Program Files and delete the entire WildTangent folder.

Do a search for the following files and delete any instances found:

qbet.exe
GameChannel.exe
kbdsp.exe
atrivs.exe
ppdx5032.dll

If any of the noted files could not be deleted, open KILLBOX, type (or copy and paste) the path of the file into the box; then check the Delete on Reboot box, and click the red X. You will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. Note: the file path will be something like C:\WINDOWS\System32\kbdsp.exe

Reboot, close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

0

sorry about the Ewido log last time!....here's the latest HJT and Ewido...some notes:

1) when I ran the HJT the first time the 04 - HKCU's for kbdsp.exe and atrivs.exe were not in the run and thus not "fixed"....the 020 Winlogon Nofiy:Unimodem actuall had "CSC Setting" instead of the word "Unimodem" - I fixed it anyway

2) there was no WildTangent folder in my C:\Program Files

3) None of the files that were to be deleted were present on a search....thus I did not need to use the KILLBOX

I get the feeling I'm doing something wrong :( ...thanks for the continued support

Logfile of HijackThis v1.99.1
Scan saved at 6:59:30 PM, on 8/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\ppdx5032.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           6:56:43 PM, 8/5/2005
+ Report-Checksum:      87BBC54


+ Scan result:


[500] C:\WINDOWS\system32\ppdx5032.dll -> Spyware.Look2Me : Error during cleaning
[1080] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Cleaned with backup
[1748] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[1856] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[1864] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[1872] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[1896] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[2040] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[152] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[160] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[176] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[404] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[1144] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[596] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
[2532] C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Error during cleaning
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8QWS7QIX\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FZ3U1H5M\!update-2214[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Program Files\apsi\wtta.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Program Files\CashBack -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bb_auto_wider.swf -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bb_click_wider.swf -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bb_welcome.html -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bb_welcome1.swf -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bin -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bin\cashback.exe -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\blank.gif -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\icon.gif -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\logo.gif -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\template.html -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\template2.html -> Spyware.CashBack : Cleaned with backup
C:\Program Files\CashBack\Uninstall.exe -> Spyware.CashBack : Cleaned with backup
C:\Program Files\eZula -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\basis.dst -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\basis.kwd -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\basis.pu -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\basis.rst -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\eabh.dll -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\GenLy.ez -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\genun.ez -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\arrow1.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\arrow2.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\button_small.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\corner_expand.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Corner_LL.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Corner_LR.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Corner_UL.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Corner_UL_2.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Corner_UL_NoFollow.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Corner_UR.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Corner_UR_2.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Corner_UR_NoFollow.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\icon.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Layer_Bottom.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Layer_Center.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Layer_Top.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\new.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\PopUp_Follow_divider.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\PopUp_Follow_Left.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\PopUp_Follow_Off.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\PopUp_Follow_On.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\PopUp_Follow_Right.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\PopUp_Top.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\PopUp_Top_Bottom.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Side_B.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Side_L.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Side_R.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Side_Top.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\spacer.gif -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\Images\Thumbs.db -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\INSTALL.LOG -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\legend.lgn -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\mmod.exe -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\param.ez -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\rwds.rst -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\search.src -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\UNWISE.EXE -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\upgrade.vrn -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\version.vrn -> Adware.eZula : Cleaned with backup
C:\Program Files\eZula\wndbannn.src -> Adware.eZula : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\etb\nt_hide62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\pokapoka62.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\etb\xud_62.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\ru.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\ccmuid.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dwdmo.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iopeers.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\josh400.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kedro.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kqdhu.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mbdtcuiu.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\meexcl35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mndimap.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\mwbe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ncwrsja.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rTsser.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\StmNeti.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wvnmp32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ѕеcurity\explorer.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\Temp\!update.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\tthakai.exe -> Adware.BetterInternet : Cleaned with backup



::Report End

Edited by happygeek: fixed formatting

0

Make sure your system is set to 'Show hidden files and folders' -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Update, and run these utilities again:

CWShredder
about:Buster
PurityScan uninstaller

Repeat the instructions in my last post (#14), and then post a new HJT log.

0

Here's the new HJT and Ewido logs. I have been careful to show all the hidden files when searching but none of the ones that we've been searching for have been found. There was one issue with CWShredder. It foung a file it did not like - VX2.Look2ME ...it seemed to remove it but said it needed to reboot to complete the process. I tried it 3 times but CWShredder kept coming back with an error saying that it had to close and did I want to send a report to Microsoft etc. - so it still seems to be lurking. The other issue is that I continue to get the following error on start-up:

Error loading C:\Program File\WildTangent\Apps\CDA\ceda Engine 0400.dll

The specified module could not be found

not sure if that mattered or not....I'm getting bombarded as I write this reply by pop ups ! :mad: ...thanks for the help

Logfile of HijackThis v1.99.1
Scan saved at 11:06:08 PM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\halpum.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ezula\mmod.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://qus9.hpwis.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://srch-qus9.hpwis.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://websearch.shopnav.com/sidesearch.cgi?uid=11788464&id=1.20030[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://comcast.net/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://qus9.hpwis.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://srch-qus9.hpwis.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://websearch.shopnav.com/sidesearch.cgi?uid=11788464&id=1.20030[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://qus9.hpwis.com/[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: SDWin32 Class - {25BC5023-012B-4883-B5CB-523A8409C73A} - C:\WINDOWS\System32\llqrl.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\ylthpdta.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsj19.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\ppdx5032.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe






---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          11:21:33 PM, 8/11/2005
 + Report-Checksum:     8F25E07A

 + Scan result:

    HKLM\SOFTWARE\Classes\AppID\eZulaBootExe.EXE -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\eZulaMain.EXE -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\{8A044397-5DA2-11D4-B185-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{07F0A543-47BA-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{07F0A545-47BA-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{19DFB2CB-9B27-11D4-B192-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{2079884B-6EF3-11D4-8A74-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{2306ABE4-4D42-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{2BABD334-5C3F-11D4-B184-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{3D7247E8-5DB8-11D4-8A72-0050DA2EE1BE} -> Spyware.TopText : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{55910916-8B4E-4C1E-9253-CCE296EA71EB} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{58359010-BF36-11d3-99A2-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{B1DD8A69-1B96-11D4-B175-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{C4FEE4A7-4B8B-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{D290D6E7-BF9D-42F0-9C1B-3BC8AE769B57} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaAgent.eZulaCtrlHost -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaAgent.eZulaCtrlHost\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaAgent.eZulaCtrlHost\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\eZulaAgent.IEObject -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\eZulaAgent.IEObject\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\eZulaAgent.IEObject\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaAgent.PlugProt -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaAgent.PlugProt\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaAgent.PlugProt\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\eZulaAgent.ToolBarBand -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\eZulaAgent.ToolBarBand\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaBootExe.InstallCtrl\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaCode\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaHash\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.eZulaSearch\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.PopupDisplay\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.ResultHelper\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaFSearchEng.SearchHelper\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaMain.eZulaSearchPipe -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaMain.eZulaSearchPipe\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaMain.eZulaSearchPipe\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM\CLSID -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\EZulaMain.TrayIConM\CurVer -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{07F0A542-47BA-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{07F0A544-47BA-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1823BC4B-A253-4767-9CFC-9ACA62A6B136} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{19DFB2CA-9B27-11D4-B192-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1CFB8B32-4053-4144-AF6F-1540EEC7F101} -> Spyware.Adlogix : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{27BC6871-4D5A-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{3D7247F1-5DB8-11D4-8A72-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{4FD8645F-9B3E-46C1-9727-9837842A84AB} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{58359012-BF36-11D3-99A2-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{7EDC96E1-5DD3-11D4-B185-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8A0443A2-5DA2-11D4-B185-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8EBB1743-9A2F-11D4-8A7E-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{C4FEE4A6-4B8B-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{EF0372DC-F552-11D3-8528-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{EF0372DE-F552-11D3-8528-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{07F0A536-47BA-11D4-8A6D-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{083FA8F4-84F4-11D4-8A77-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{58359011-BF36-11D3-99A2-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{8A044396-5DA2-11D4-B185-0050DAB79376} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eZula -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
    HKLM\SOFTWARE\VGroup -> Spyware.SAHA : Cleaned with backup
    HKLM\SOFTWARE\VGroup\SAHPopup -> Spyware.SAHA : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\eZula -> Spyware.eZula : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\eZula\Setup -> Spyware.eZula : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\eZula\Setup\ID -> Spyware.eZula : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\eZula\Setup\path -> Spyware.eZula : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\Web Offer -> Spyware.eZula : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\Web Offer\Setup -> Spyware.eZula : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\Web Offer\Setup\ID -> Spyware.eZula : Cleaned with backup
    [500] C:\WINDOWS\system32\ppdx5032.dll -> Spyware.Look2Me : Error during cleaning
    [1088] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Cleaned with backup
    [1520] C:\WINDOWS\System32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
    [1872] C:\WINDOWS\System32\nkyicuy.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
    [1880] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    [1888] C:\WINDOWS\System32\nkyicuy.dll -> TrojanDownloader.Qoologic.s : Error during cleaning
    [1900] C:\WINDOWS\System32\nkyicuy.dll -> TrojanDownloader.Qoologic.s : Error during cleaning
    [1908] C:\WINDOWS\System32\nkyicuy.dll -> TrojanDownloader.Qoologic.s : Error during cleaning
    [180] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    [144] C:\WINDOWS\System32\nkyicuy.dll -> TrojanDownloader.Qoologic.s : Error during cleaning
    [188] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    [208] C:\WINDOWS\System32\halpum.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
    [240] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    [824] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    [908] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    [592] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    [1004] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    [3572] C:\PROGRA~1\ezula\CHCON.dll -> Adware.eZula : Error during cleaning
    C:\WINDOWS\system32\aDaamon.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\atrc8parb.exe -> Adware.Saha : Cleaned with backup
    C:\WINDOWS\system32\cnutil.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\iZlmrnt5.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\lanbrup.exe -> Spyware.SafeSurfing : Cleaned with backup
    C:\WINDOWS\system32\llqrlc.exe -> Spyware.Adstart : Cleaned with backup
    C:\WINDOWS\system32\llqrlf.exe -> Spyware.Adstart : Cleaned with backup
    C:\WINDOWS\system32\nsj19.dll -> Spyware.HotSearchBar : Cleaned with backup
    C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
    C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
    C:\WINDOWS\system32\thin-94-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\wugky.dat -> TrojanDownloader.Qoologic.u : Cleaned with backup
    C:\WINDOWS\system32\ylthpdta.dll -> Spyware.SafeSurfing : Cleaned with backup
    C:\WINDOWS\Temp\atrc8parb_.exe -> Adware.Saha : Cleaned with backup
    C:\WINDOWS\Temp\hqrhil7kg_.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\labpengs.tmp -> Spyware.SafeSurfing : Cleaned with backup
    C:\WINDOWS\Temp\liqp7c25q_.dll -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\thin-94-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\Temp\umqltg4cl_.exe -> Adware.SAHA : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


::Report End

Edited by mike_2000_17: Fixed formatting

0

Please download Kill2Me -- http://www.majorgeeks.com/downloadget.php?id=4166&file=9&evp=e994cf5e9abe6c93b47c01f2922c271f

Run it to remove Look2Me from your computer.

Download WinPFind -- http://www.bleepingcomputer.com/files/winpfind.php

Right-click the Zip Folder, Select Extract All, and Extract the file to a convenient location, such as your Desktop, but don't do anything with it yet!

Reboot into Safe Mode.

Now, double-click WinPFind.exe

Click Start Scan; it will scan your entire system, so please be patient.

Once the Scan is complete, go to the WinPFind folder, and locate WinPFind.txt; copy and paste the results in your next post.

Scan with Ewido again, and post the results with your next reply.

Reboot (normal mode).

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...8464&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...8464&id=1.20030
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: SDWin32 Class - {25BC5023-012B-4883-B5CB-523A8409C73A} - C:\WINDOWS\System32\llqrl.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\ylthpdta.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsj19.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\ppdx5032.dll

Remember to close any open windows and hit Fix checked.

Go to the following locations and delete the highlighted files and folder:

C:\WINDOWS\ttext.dll
C:\WINDOWS\qbet.exe
C:\WINDOWS\System32\llqrl.dll
C:\WINDOWS\System32\ylthpdta.dll
C:\WINDOWS\System32\nsj19.dll
C:\WINDOWS\system32\ppdx5032.dll

C:\Program Files\WildTangent <-- Folder

Do a search for WildTangent and delete any instances found.

If any of these files cannot be deleted, try booting into Safe Mode first.

Empty your Recycle Bin and reboot (normally).

Scan with HJT, and post a new log along with the Ewido and WinPFind logs.

0

Here are the logs. Some notes:

1) I don't think the Kill2Me worked. It said that it did not find evidence of any infection and asked me if I wanted to continue..which I did and it said it had removed any infection if it was there. I ran CWShredder as a double check and that program found the VX2.Look2ME pest still present. I tried to have it removed upon reboot but the same issue occured as in my previous post.

2) Of the file you asked me to the delete, the only one present was the ppdx5032.dll. I could not delete it as is, in Safe Mode, or even using KILLBOX (from one of your previous posts). KILLBOX seemed like it was going to work but it never followed through on the reboot.

thanks for the continued help....is this amount of cleanup normal or am I just luck :)

Logfile of HijackThis v1.99.1
Scan saved at 10:32:37 PM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\zuuzzgs.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\halpum.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://qus9.hpwis.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://srch-qus9.hpwis.com/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://comcast.net/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://qus9.hpwis.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://srch-qus9.hpwis.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://qus9.hpwis.com/[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
R3 - URLSearchHook: sextension - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - C:\WINDOWS\Downloaded Program Files\sextension.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: XBTB01658 - {38A15633-D04F-4bed-A8D0-DF1D687D1F7E} - C:\WINDOWS\DOWNLO~1\SEXTEN~1.DLL (file missing)
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O3 - Toolbar: sextension - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - C:\WINDOWS\Downloaded Program Files\sextension.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nesunex.mht![url]http://snipernet.us/ext1/ysa.chm::/ysb_regular.cab[/url]
O16 - DPF: {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} (sextension) - ms-its:mhtml:file://c:\sxtens.mht![url]http://bar.sxload.com/data/sxt.chm::/sextension.cab[/url]
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\ppdx5032.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe







---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          7:41:53 PM, 8/12/2005
 + Report-Checksum:     45486886

 + Scan result:

    HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Bargains -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4} -> Spyware.TopConverting : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8} -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001} -> Spyware.SafeSurfing : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{4FE82BA0-9335-4D4E-8E98-76409A88F2C1} -> Spyware.TopConverting : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{ACE5B10B-92A3-4103-8583-3684BB09409F} -> Spyware.TopConverting : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542} -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\SideFind.Finder -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\SideFind.Finder\CLSID -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\SideFind.Finder\CurVer -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB} -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{487E7682-B976-41FB-A944-E8B83689A454} -> Spyware.TopConverting : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} -> Spyware.NaviSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44} -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA} -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ysb.YsbObj -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ysb.YsbObj\CLSID -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ysb.YsbObj\CurVer -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\eXactUtil -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\ISTsvc -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\ISTsvc\history -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\SideFind -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\salm -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\SecureWin -> Spyware.Adlogix : Cleaned with backup
    HKLM\SOFTWARE\SideFind -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\SideFind\History -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\VGroup -> Spyware.SAHA : Cleaned with backup
    HKLM\SOFTWARE\VGroup\SAHPopup -> Spyware.SAHA : Cleaned with backup
    HKLM\SOFTWARE\YourSiteBar -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\YourSiteBar\Historyfiles -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\YourSiteBar\Historystring -> Spyware.ISTBar : Cleaned with backup
    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\IST -> Spyware.ISTBar : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
    HKU\S-1-5-21-3576068603-4191100369-2977924657-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup
    [208] C:\WINDOWS\system32\ppdx5032.dll -> Spyware.Look2Me : Error during cleaning
    [592] C:\WINDOWS\system32\GHCollection.dll -> Spyware.Look2Me : Error during cleaning
    [680] VM_00900000 -> Adware.BetterInternet : Error during cleaning
    [812] C:\WINDOWS\System32\vykevp.exe -> Trojan.Agent.cp : Cleaned with backup
    [1364] C:\WINDOWS\System32\pnqblo.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
    C:\WINDOWS\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\sextension.dll -> Spyware.SideSearch : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
    C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
    C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a : Cleaned with backup
    C:\WINDOWS\nem220.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
    C:\WINDOWS\nqhpozgaz.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.dk : Cleaned with backup
    C:\WINDOWS\pinmbib.exe -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\shop1004.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
    C:\WINDOWS\stubinstaller5975.exe -> TrojanDownloader.Small.asf : Cleaned with backup
    C:\WINDOWS\suslppm.exe -> TrojanDownloader.IstBar.ij : Cleaned with backup
    C:\WINDOWS\system32\atrc8parb.exe -> Adware.Saha : Cleaned with backup
    C:\WINDOWS\system32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\system32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
    C:\WINDOWS\system32\datadx.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
    C:\WINDOWS\system32\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\exdl0.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\exdl1.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\halpum.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
    C:\WINDOWS\system32\ikgsv.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
    C:\WINDOWS\system32\javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\msbe.dll -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINDOWS\system32\nkyicuy.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
    C:\WINDOWS\system32\sjarddlg.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wugky.dat -> TrojanDownloader.Qoologic.u : Cleaned with backup
    C:\WINDOWS\system32\__delete_on_reboot__nkyicuy.dll -> TrojanDownloader.Qoologic.s : Cleaned with backup
    C:\WINDOWS\system32\__delete_on_reboot__supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
    C:\WINDOWS\Temp\atrc8parb_.exe -> Adware.Saha : Cleaned with backup
    C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
    C:\WINDOWS\Temp\bb.exe -> TrojanDownloader.Adload.a : Cleaned with backup
    C:\WINDOWS\Temp\Del16A.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
    C:\WINDOWS\Temp\hqrhil7kg_.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\liqp7c25q_.dll -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
    C:\WINDOWS\Temp\res161.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\Temp\res170.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\Temp\res173.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\Temp\setup4021.cab/liqp7c25q_.dll -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\setup4021.cab/atrc8parb_.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\setup4021.cab/umqltg4cl_.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\setup4021.cab/hqrhil7kg_.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\shop1004.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\Temp\sidefind.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
    C:\WINDOWS\Temp\umqltg4cl_.exe -> Adware.SAHA : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@www.sidefind[2].txt -> Spyware.Cookie.Sidefind : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@ysbweb[1].txt -> Spyware.Cookie.Ysbweb : Cleaned with backup


::Report End






WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 1    Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com  6/19/2003 2:00:26 PM   3278       C:\WINDOWS\abiuninst.htm
aspack               11/28/2004 9:10:44 PM  1343999    C:\WINDOWS\Aurexkb.ehu
PTech                11/28/2004 9:10:44 PM  1343999    C:\WINDOWS\Aurexkb.ehu
UPX!                 11/28/2004 9:00:40 PM  255700     C:\WINDOWS\del.tmp
UPX!                 8/12/2005 5:48:14 PM   189859     C:\WINDOWS\dsr.exe
PTech                11/28/2004 9:10:52 PM  1073501    C:\WINDOWS\Flgczsswjyh.lzw
PEC2                 11/28/2004 9:10:40 PM  184535     C:\WINDOWS\Iingbqeu.aaw
PTech                11/28/2004 9:10:46 PM  483851     C:\WINDOWS\Iwwcitsg.dua
PECompact2           7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
qoologic             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
SAHAgent             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
web-nex              8/12/2005 5:46:38 PM   4254       C:\WINDOWS\mnrzv.dll
PEC2                 11/28/2004 9:10:42 PM  193869     C:\WINDOWS\Mxacorse.trv
UPX!                 7/23/2003 10:06:52 AM  52736      C:\WINDOWS\Nail.exe
UPX!                 8/11/2005 11:41:22 PM  36608      C:\WINDOWS\nem220.dll
UPX!                 9/6/2003 8:45:34 AM    79360      C:\WINDOWS\nqhpozgaz.exe
UPX!                 5/3/2005 11:44:44 AM   25157      C:\WINDOWS\RMAgentOutput.dll
aspack               8/11/2005 11:41:26 PM  38400      C:\WINDOWS\shop1004.exe
UPX!                 8/11/2005 11:41:12 PM  10240      C:\WINDOWS\suslppm.exe
UPX!                 1/24/2003 12:00:06 PM  6656       C:\WINDOWS\svcproc.exe
UPX!                 1/10/2005 4:17:24 PM   170053     C:\WINDOWS\tsc.exe
PECompact2           7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
qoologic             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
SAHAgent             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
UPX!                 2/18/2005 6:40:14 PM   1044560    C:\WINDOWS\vsapi32.dll
aspack               2/18/2005 6:40:14 PM   1044560    C:\WINDOWS\vsapi32.dll
PTech                11/28/2004 9:10:50 PM  1626626    C:\WINDOWS\Wpkrkcqrrjf.uwm

Checking %System% folder...
SAHAgent             6/30/2005 2:00:58 PM   35         C:\WINDOWS\SYSTEM32\9hk5g7bj.ini
SAHAgent             6/17/2005 3:21:42 PM   204288     C:\WINDOWS\SYSTEM32\atrc8parb.exe
SAHAgent             8/8/2005 2:05:46 PM    796        C:\WINDOWS\SYSTEM32\atrc8parb.ini
UPX!                 8/12/2005 5:06:30 PM   24576      C:\WINDOWS\SYSTEM32\AUNPS2.dll
69.59.186.63         8/11/2005 11:19:50 PM  29184      C:\WINDOWS\SYSTEM32\datadx.dll
209.66.67.134        8/11/2005 11:19:50 PM  29184      C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.97         8/11/2005 11:19:50 PM  29184      C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.77         8/11/2005 11:19:50 PM  29184      C:\WINDOWS\SYSTEM32\datadx.dll
web-nex              8/11/2005 11:19:50 PM  29184      C:\WINDOWS\SYSTEM32\datadx.dll
winsync              8/11/2005 11:19:50 PM  29184      C:\WINDOWS\SYSTEM32\datadx.dll
rec2_run             8/11/2005 11:19:50 PM  29184      C:\WINDOWS\SYSTEM32\datadx.dll
PEC2                 8/29/2002 8:00:00 AM   41397      C:\WINDOWS\SYSTEM32\dfrg.msc
UPX!                 9/16/2000 7:41:42 PM   28160      C:\WINDOWS\SYSTEM32\DrPMon.dll
69.59.186.63         8/11/2005 11:19:52 PM  9728       C:\WINDOWS\SYSTEM32\earak.dll
209.66.67.134        8/11/2005 11:19:52 PM  9728       C:\WINDOWS\SYSTEM32\earak.dll
web-nex              8/11/2005 11:19:52 PM  9728       C:\WINDOWS\SYSTEM32\earak.dll
winsync              8/11/2005 11:19:52 PM  9728       C:\WINDOWS\SYSTEM32\earak.dll
Umonitor             8/12/2005 12:49:12 AM  417792     C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown          8/12/2005 12:49:12 AM  417792     C:\WINDOWS\SYSTEM32\guard.tmp
aspack               8/12/2005 10:44:40 AM  61952      C:\WINDOWS\SYSTEM32\halpum.exe
SAHAgent             6/30/2005 2:00:58 PM   35         C:\WINDOWS\SYSTEM32\havijo1d.ini
aspack               8/8/2005 11:17:24 AM   9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
KavSvc               8/8/2005 11:17:24 AM   9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
69.59.186.63         8/8/2005 11:17:24 AM   9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
209.66.67.134        8/8/2005 11:17:24 AM   9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
web-nex              8/8/2005 11:17:24 AM   9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
yourkey              8/8/2005 11:17:24 AM   9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
Umonitor             11/3/1998 2:01:02 AM   324096     C:\WINDOWS\SYSTEM32\ipebase11.dll
69.59.186.63         8/11/2005 11:19:52 PM  26624      C:\WINDOWS\SYSTEM32\ksahwla.dll
209.66.67.134        8/11/2005 11:19:52 PM  26624      C:\WINDOWS\SYSTEM32\ksahwla.dll
web-nex              8/11/2005 11:19:52 PM  26624      C:\WINDOWS\SYSTEM32\ksahwla.dll
winsync              8/11/2005 11:19:52 PM  26624      C:\WINDOWS\SYSTEM32\ksahwla.dll
SAHAgent             6/30/2005 9:25:36 PM   3132       C:\WINDOWS\SYSTEM32\l2r348ov.ini
aspack               8/12/2005 10:44:40 AM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
KavSvc               8/12/2005 10:44:40 AM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
69.59.186.63         8/12/2005 10:44:40 AM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
209.66.67.134        8/12/2005 10:44:40 AM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
testpopup            8/12/2005 10:44:40 AM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
web-nex              8/12/2005 10:44:40 AM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
yourkey              8/12/2005 10:44:40 AM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
Umonitor             8/29/2002 8:00:00 AM   631808     C:\WINDOWS\SYSTEM32\rasdlg.dll
Umonitor             8/12/2005 10:44:22 AM  417792     C:\WINDOWS\SYSTEM32\sjarddlg.dll
WinShutDown          8/12/2005 10:44:22 AM  417792     C:\WINDOWS\SYSTEM32\sjarddlg.dll
winsync              8/29/2002 8:00:00 AM   1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu
aspack               8/12/2005 10:44:40 AM  61952      C:\WINDOWS\SYSTEM32\wugky.dat
aspack               8/8/2005 11:17:24 AM   27648      C:\WINDOWS\SYSTEM32\__delete_on_reboot__nkyicuy.dll
KavSvc               8/8/2005 11:17:24 AM   27648      C:\WINDOWS\SYSTEM32\__delete_on_reboot__nkyicuy.dll
69.59.186.63         8/8/2005 11:17:24 AM   27648      C:\WINDOWS\SYSTEM32\__delete_on_reboot__nkyicuy.dll
209.66.67.134        8/8/2005 11:17:24 AM   27648      C:\WINDOWS\SYSTEM32\__delete_on_reboot__nkyicuy.dll
testpopup            8/8/2005 11:17:24 AM   27648      C:\WINDOWS\SYSTEM32\__delete_on_reboot__nkyicuy.dll
web-nex              8/8/2005 11:17:24 AM   27648      C:\WINDOWS\SYSTEM32\__delete_on_reboot__nkyicuy.dll
yourkey              8/8/2005 11:17:24 AM   27648      C:\WINDOWS\SYSTEM32\__delete_on_reboot__nkyicuy.dll
aspack               8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll
KavSvc               8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll
69.59.186.63         8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll
209.66.67.134        8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll
66.63.167.97         8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll
66.63.167.77         8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll
web-nex              8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll
yourkey              8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll
rec2_run             8/8/2005 11:17:24 AM   29184      C:\WINDOWS\SYSTEM32\__delete_on_reboot__supdate.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S                    8/12/2005 5:52:24 PM   2048       C:\WINDOWS\bootstat.dat
S                    8/12/2005 5:53:00 PM   417792     C:\WINDOWS\system32\GHCollection.dll
S                    8/12/2005 12:49:12 AM  417792     C:\WINDOWS\system32\guard.tmp
S                    8/4/2005 10:43:40 PM   417792     C:\WINDOWS\system32\ppdx5032.dll
S                    8/12/2005 10:44:22 AM  417792     C:\WINDOWS\system32\sjarddlg.dll
H                    8/12/2005 5:53:02 PM   20480      C:\WINDOWS\system32\config\default.LOG
H                    8/12/2005 5:52:58 PM   1024       C:\WINDOWS\system32\config\SAM.LOG
H                    8/12/2005 5:52:30 PM   12288      C:\WINDOWS\system32\config\SECURITY.LOG
H                    8/12/2005 5:53:46 PM   163840     C:\WINDOWS\system32\config\software.LOG
H                    8/12/2005 5:52:26 PM   999424     C:\WINDOWS\system32\config\system.LOG
H                    8/8/2005 11:05:22 AM   1024       C:\WINDOWS\system32\config\userdiff.LOG
SH                   8/11/2005 10:18:20 PM  388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a65c4887-7a56-462f-a379-47f4c17c5e26
SH                   8/11/2005 10:18:20 PM  24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
SH                   8/4/2005 10:20:44 PM   190        C:\WINDOWS\Tasks\RUTASK.job
H                    8/12/2005 5:49:04 PM   6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          8/29/2002 8:00:00 AM   66048      C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp.    6/28/2003 12:40:32 AM  8606208    C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation          8/29/2002 8:00:00 AM   578560     C:\WINDOWS\SYSTEM32\appwiz.cpl
                               5/11/2001 1:00:00 AM   183808     C:\WINDOWS\SYSTEM32\bdeadmin.cpl
                               8/11/2005 11:19:52 PM  28672      C:\WINDOWS\SYSTEM32\conres.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   129024     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   150016     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Hewlett-Packard                1/26/1999 1:06:28 AM   25524      C:\WINDOWS\SYSTEM32\hpsctrlc.cpl
Intel Corporation              4/7/2003 10:14:30 AM   94208      C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   292352     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   121856     C:\WINDOWS\SYSTEM32\intl.cpl
InstallShield Software Corporation6/16/2004 7:03:30 AM   73728      C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   65536      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               2/20/2003 5:42:34 PM   229487     C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   559616     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   256000     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation             5/3/2003 2:19:00 AM    143360     C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   36864      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   109056     C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           9/23/2004 6:57:40 PM   323072     C:\WINDOWS\SYSTEM32\QuickTime.cpl
Softex, Inc                    2/21/2003 7:06:04 AM   32768      C:\WINDOWS\SYSTEM32\scurecpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   268288     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   90112      C:\WINDOWS\SYSTEM32\timedate.cpl
The Weather Channel Interactive4/6/2005 4:21:18 PM    3006464    C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   66048      C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   578560     C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   129024     C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   150016     C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   292352     C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   121856     C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   65536      C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   559616     C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   256000     C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   36864      C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   109056     C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   147456     C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   268288     C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   90112      C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation              4/7/2003 10:14:30 AM   94208      C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp.    6/28/2003 12:40:32 AM  8606208    C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     3/27/2004 2:54:38 PM   1903       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
                     11/27/2004 11:50:40 AM 729        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
                     11/27/2004 11:56:28 AM 1031       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
                     1/18/2005 10:51:12 PM  1738       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
                     7/24/2003 5:47:38 AM   675        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
aspack               8/8/2005 11:17:24 AM   61952      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\raui.exe
                     8/8/2005 11:17:24 AM   61952      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\raui.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
                     7/24/2003 5:53:24 AM   1715       C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
                     7/26/2003 4:57:50 AM   844        C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

Checking files in %USERPROFILE%\Application Data folder...
                     3/14/2005 7:50:12 PM   110120     C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
                     3/10/2005 3:51:34 PM   12358      C:\Documents and Settings\Owner\Application Data\PFP110JCM.{PB
                     3/10/2005 3:51:34 PM   61678      C:\Documents and Settings\Owner\Application Data\PFP110JPR.{PB
                     8/11/2005 11:52:22 PM  39         C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
                     8/11/2005 11:44:16 PM  414915     C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
                     8/11/2005 11:52:22 PM  37         C:\Documents and Settings\Owner\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
         = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    {B2AB8673-9BAB-410E-B5F0-08AC7E387EBF}   = C:\WINDOWS\system32\iZlmrnt5.dll
    {75740AC3-4BF8-4B46-B9FD-0888D046D7DE}   = C:\WINDOWS\system32\GHCollection.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
    {85BBD920-42A0-1069-A2E4-08002B30309D}   = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mysxkqsf
    {17518f7b-bc35-47a9-aa4d-3ef376234885}   = C:\WINDOWS\System32\earak.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OPShellE
    {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}   = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
    {85BBD920-42A0-1069-A2E4-08002B30309D}   = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\OPShellE
    {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}   = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
    {C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}   = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
     = C:\WINDOWS\System32\datadx.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8}
    BHObj Class = C:\WINDOWS\nem220.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00027925-0017-4faf-9539-90E4AC0B9EC5}
    Band Class = C:\WINDOWS\ttext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
    Band Class = C:\WINDOWS\dsr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25BC5023-012B-4883-B5CB-523A8409C73A}
    SDWin32 Class = C:\WINDOWS\System32\llqrl.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38A15633-D04F-4bed-A8D0-DF1D687D1F7E}
    XBTB01658 Class = C:\WINDOWS\DOWNLO~1\SEXTEN~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}
    LANBridge Class = C:\WINDOWS\System32\ylthpdta.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}
    ohb Class = C:\WINDOWS\System32\nsj19.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}
    BAHelper Class = C:\Program Files\SideFind\sfbho.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}
    ADP UrlCatcher Class = C:\WINDOWS\System32\msbe.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}   =  : 
    {86227D9C-0EFE-4f8a-AA55-30386A3F5686}   = YourSiteBar  : C:\Program Files\YourSiteBar\ysb.dll
    {CC8C8F4F-F2E8-404B-A43D-5CC57876A008}   = sextension   : C:\WINDOWS\Downloaded Program Files\sextension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText     = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807}
    ButtonText   = SideFind : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
    ButtonText   = MoneySide    : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
    ButtonText   = Yahoo! Messenger : C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}
    SideFind = C:\Program Files\SideFind\sidefind.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion   : C:\Program Files\Yahoo!\companion\Installs\cpn0\ycomp5_3_16_0.dll
    {86227D9C-0EFE-4F8A-AA55-30386A3F5686} = YourSiteBar    : C:\Program Files\YourSiteBar\ysb.dll
    {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} = sextension : C:\WINDOWS\Downloaded Program Files\sextension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    hpsysdrv    c:\windows\system\hpsysdrv.exe
    HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
    KBD C:\HP\KBD\KBD.EXE
    StorageGuard    "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    Recguard    C:\WINDOWS\SMINST\RECGUARD.EXE
    NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz    nwiz.exe /installquiet /keeploaded /nodetect
    AlcxMonitor ALCXMNTR.EXE
    PS2 C:\WINDOWS\system32\ps2.exe
    QuickFinder Scheduler   "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    hplampc C:\WINDOWS\system32\hplampc.exe
    mmtask  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    Symantec NetDriver Monitor  C:\PROGRA~1\SYMNET~1\SNDMon.exe
    ISUSPM Startup  C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    AWMON   "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ccApp   "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    SSC_UserPrompt  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    ccRegVfy    "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    qbet    C:\WINDOWS\qbet.exe
    WildTangent CDA RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    WT GameChannel  C:\Program Files\WildTangent\Apps\GameChannel.exe
    IST Service C:\Program Files\ISTsvc\istsvc.exe
    Media Gateway   C:\Program Files\Media Gateway\MediaGateway.exe
    iwhsuxi C:\WINDOWS\System32\vykevp.exe r

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    NVIEW   rundll32.exe nview.dll,nViewLoadHook
    MSMSGS  "C:\Program Files\Messenger\msmsgs.exe" /background
    Io02RRM3V   atrivs.exe
    kbdsp   C:\WINDOWS\System32\kbdsp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1
    undockwithoutlogon  1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINDOWS\system32\userinit.exe,
    Shell       = Explorer.exe C:\WINDOWS\Nail.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout
     = C:\WINDOWS\system32\ppdx5032.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/12/2005 6:02:19 PM

Edited by mike_2000_17: Fixed formatting

0

Well, Aurora has managed to get back into your system :(

Before cleaning that up again, please download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double-click l2mfix.bat and select option #1 for 'Run Find Log' by typing 1, and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or two, notepad will open with a log. Copy the contents of that log and paste it into this thread with your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Now go to post #5 in this thread again to remove Aurora:
http://www.daniweb.com/techtalkforums/thread28196.html

When you've finished, please post a new HJT log, the new Ewido log, and the L2MFix log.

0

Hi again - I made it back.... but just barely. :( ...I had to put in this reply from my laptop since the pops-ups kept crushing my PC.....I followed the steps but the PC hung on several occasions....the on-line spyware tools did not work - my PC kept rebooting on it's own....the tools that I had downloaded - ewido, Microsoft, Ad Aware, and SpyBot seemed to work and after I deleted the temp files and rebooted the PC seemed to be stable --- until I launched IE to give my reply and then all heck broke loose again.......I am running Ad-Watch and Norton System Works.....Norton has been catching the MHTMLRedir.Exploit that keeps trying to get back on, Virtual Bouncer made it way back on but I think it is removed, VX2 keeps getting found by Ad Aware......here's are my logs: the L2MFix before the fixes and the HJT and ewido.....thanks again for the help....perhaps it time for a refresh of the PC - ...OS reinstall etc??? thanks....

L2MFIX find log 1.03b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ppdx5032.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7353C3F6-3354-BD2D-C4F1-8EE358BF9019}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}"="SampleView"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}"="OmniPass Shell Extension"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{75740AC3-4BF8-4B46-B9FD-0888D046D7DE}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{75740AC3-4BF8-4B46-B9FD-0888D046D7DE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75740AC3-4BF8-4B46-B9FD-0888D046D7DE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75740AC3-4BF8-4B46-B9FD-0888D046D7DE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{75740AC3-4BF8-4B46-B9FD-0888D046D7DE}\InprocServer32]
@="C:\\WINDOWS\\system32\\stsbkup.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
 Volume in drive C is PRESARIO
 Volume Serial Number is B8A5-6D43

 Directory of C:\WINDOWS\System32

08/15/2005  07:26 PM           417,792 stsbkup.dll
08/04/2005  10:43 PM           417,792 ppdx5032.dll
07/08/2005  08:26 PM    <DIR>          dllcache
03/29/2005  01:45 PM                56 EA7E68B34D.sys
07/24/2003  04:50 AM    <DIR>          Microsoft
09/30/1999  08:21 PM           166,672 mstext35.dll
09/28/1999  10:42 PM         1,050,896 msjet35.dll
09/09/1999  11:06 PM           168,720 msltus35.dll
09/09/1999  11:06 PM           252,688 msexcl35.dll
08/25/1999  03:57 PM           415,504 msrepl35.dll
06/07/1999  07:59 PM           250,128 mspdox35.dll
04/25/1999  06:00 PM           252,176 Msrd2x35.dll
04/25/1999  06:00 PM           287,504 Msxbse35.dll
04/25/1999  06:00 PM           368,912 Vbar332.dll
              12 File(s)      4,048,840 bytes
               2 Dir(s)  99,7
77,622,016 bytes free





Logfile of HijackThis v1.99.1
Scan saved at 9:56:31 PM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Citvirus\scae2nls.exe
C:\WINDOWS\System32\dfrpsvcs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\liqnhw.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system\eiicupd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://qus9.hpwis.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://srch-qus9.hpwis.com/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://comcast.net/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://qus9.hpwis.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://srch-qus9.hpwis.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://qus9.hpwis.com/[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\ylthpdta.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsf5B.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: raui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url]http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab[/url]
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [url]http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4561/mcfscan.cab[/url]
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\onpdx32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe





---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          4:21:56 PM, 8/21/2005
 + Report-Checksum:     EF811228

 + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
    HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP -> Spyware.Look2Me : Cleaned with backup
    HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
    [500] C:\WINDOWS\system32\onpdx32.dll -> Spyware.Look2Me : Error during cleaning
    [1080] C:\WINDOWS\system32\qEsf.dll -> Spyware.Look2Me : Error during cleaning
    [1624] C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
    [1804] VM_016C0000 -> Adware.BetterInternet : Error during cleaning
    [1920] C:\Program Files\Citvirus\ace.dll -> Spyware.AproposMedia : Error during cleaning
    [396] C:\WINDOWS\System32\ufdiywz.exe -> Trojan.Agent.cp : Cleaned with backup
    [980] C:\WINDOWS\system\bgtxdii.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
    C:\WINDOWS\1gr96d.sys -> Trojan.Kolweb.b : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\website.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
    C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
    C:\WINDOWS\etb\nt_hide63.dll -> Spyware.EliteBar : Cleaned with backup
    C:\WINDOWS\etb\pokapoka63.exe -> Spyware.EliteBar : Cleaned with backup
    C:\WINDOWS\etb\xud_63.dll -> Spyware.EliteBar : Cleaned with backup
    C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\nqhpozgaz.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system\bgtxdii.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
    C:\WINDOWS\system32\1gr96d.sys -> Trojan.Kolweb.b : Cleaned with backup
    C:\WINDOWS\system32\6o00f.exe -> Trojan.Kolweb.b : Cleaned with backup
    C:\WINDOWS\system32\akptif.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\cw37x.exe -> Trojan.Delf.cf : Cleaned with backup
    C:\WINDOWS\system32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
    C:\WINDOWS\system32\EDowST3.exe -> TrojanDownloader.QDown.z : Cleaned with backup
    C:\WINDOWS\system32\exp.exe -> TrojanDownloader.Small.abd : Cleaned with backup
    C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\iiss.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\kjdno.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\kldla.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\lanbrup.exe -> Spyware.SafeSurfing : Cleaned with backup
    C:\WINDOWS\system32\lyk.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mirindaspg.exe -> Trojan.Kolweb.b : Cleaned with backup
    C:\WINDOWS\system32\mqcories.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\mxjava.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\nsw73.dll -> Spyware.HotSearchBar : Cleaned with backup
    C:\WINDOWS\system32\nztcfgx.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\ppdx5032.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
    C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
    C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
    C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
    C:\WINDOWS\system32\ufdiywz.exe -> Trojan.Agent.gp : Cleaned with backup
    C:\WINDOWS\system32\vidctrl\vidctrl.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
    C:\WINDOWS\system32\VLAME.DLL -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wGvemsp.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wintask.exe -> TrojanDownloader.Small.abd : Cleaned with backup
    C:\WINDOWS\system32\wjdsp.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\wnssvc.dll -> Spyware.Look2Me : Cleaned with backup
    C:\WINDOWS\system32\ylthpdta.dll -> Spyware.SafeSurfing : Cleaned with backup
    C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
    C:\WINDOWS\Temp\bb.exe -> TrojanDownloader.Adload.a : Cleaned with backup
    C:\WINDOWS\Temp\Del2E.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
    C:\WINDOWS\Temp\nsh_105.exe -> Spyware.Downloadware : Cleaned with backup
    C:\WINDOWS\Temp\nsh_110.exe -> Spyware.Downloadware : Cleaned with backup
    C:\WINDOWS\Temp\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
    C:\WINDOWS\Temp\pcs_0026.exe -> Spyware.Pacer : Cleaned with backup
    C:\WINDOWS\Temp\ptf_0026.exe -> Spyware.Pacer : Cleaned with backup
    C:\WINDOWS\Temp\res2F.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\Temp\sidefind.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
    C:\WINDOWS\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@shopathomeselect[2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@www.sidefind[2].txt -> Spyware.Cookie.Sidefind : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@ysbweb[1].txt -> Spyware.Cookie.Ysbweb : Cleaned with backup


::Report End

Edited by mike_2000_17: Fixed formatting

0

Please run option #2 of the lm2fix.

Then run the following tools to assist in removing this infection:

WinPFind
Right-click the Zip Folder and select "Extract All"
Extract it somewhere you will remember (like your Desktop)
Don't do anything with it yet!

Track qoo
Again, save it somewhere you will remember, like your Desktop

Reboot into Safe Mode.

Doubleclick WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient.
Once the scan is complete, go to the WinPFind folder and locate WinPFind.txt;
Place those results in the next post.

Reboot back to Normal Mode.

Double Click on "Track qoo.vbs"

Note - If your Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in your next post along with the results of WinPFind.

0

Here's the WinFind Report:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 1    Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com  12/31/2004 6:29:52 AM  3278       C:\WINDOWS\abiuninst.htm
aspack               11/28/2004 9:10:44 PM  1343999    C:\WINDOWS\Aurexkb.ehu
PTech                11/28/2004 9:10:44 PM  1343999    C:\WINDOWS\Aurexkb.ehu
UPX!                 11/28/2004 9:00:40 PM  255700     C:\WINDOWS\del.tmp
UPX!                 8/21/2005 10:03:30 PM  189859     C:\WINDOWS\dsr.exe
PTech                11/28/2004 9:10:52 PM  1073501    C:\WINDOWS\Flgczsswjyh.lzw
PEC2                 11/28/2004 9:10:40 PM  184535     C:\WINDOWS\Iingbqeu.aaw
PTech                11/28/2004 9:10:46 PM  483851     C:\WINDOWS\Iwwcitsg.dua
PECompact2           7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
qoologic             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
SAHAgent             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
web-nex              8/22/2005 11:26:30 PM  4254       C:\WINDOWS\mnrzv.dll
PEC2                 11/28/2004 9:10:42 PM  193869     C:\WINDOWS\Mxacorse.trv
UPX!                 6/13/2000 2:53:30 PM   52736      C:\WINDOWS\Nail.exe
UPX!                 2/9/2003 6:26:52 AM    79360      C:\WINDOWS\nqhpozgaz.exe
UPX!                 5/3/2005 11:44:44 AM   25157      C:\WINDOWS\RMAgentOutput.dll
UPX!                 12/12/2003 2:53:36 AM  6656       C:\WINDOWS\svcproc.exe
UPX!                 1/10/2005 4:17:24 PM   170053     C:\WINDOWS\tsc.exe
PECompact2           7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
qoologic             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
SAHAgent             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
UPX!                 2/18/2005 6:40:14 PM   1044560    C:\WINDOWS\vsapi32.dll
aspack               2/18/2005 6:40:14 PM   1044560    C:\WINDOWS\vsapi32.dll
PTech                11/28/2004 9:10:50 PM  1626626    C:\WINDOWS\Wpkrkcqrrjf.uwm

Checking %System% folder...
SAHAgent             6/30/2005 2:00:58 PM   35         C:\WINDOWS\SYSTEM32\9hk5g7bj.ini
UPX!                 8/21/2005 10:00:22 PM  94208      C:\WINDOWS\SYSTEM32\adlinstallwin32.exe
SAHAgent             8/8/2005 2:05:46 PM    796        C:\WINDOWS\SYSTEM32\atrc8parb.ini
aspack               8/22/2005 10:48:04 PM  7168       C:\WINDOWS\SYSTEM32\daxmqox.exe
PEC2                 8/29/2002 8:00:00 AM   41397      C:\WINDOWS\SYSTEM32\dfrg.msc
UPX!                 10/8/2004 11:44:14 AM  28160      C:\WINDOWS\SYSTEM32\DrPMon.dll
Umonitor             8/21/2005 6:51:08 PM   417792     C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown          8/21/2005 6:51:08 PM   417792     C:\WINDOWS\SYSTEM32\guard.tmp
aspack               8/22/2005 10:48:04 PM  61952      C:\WINDOWS\SYSTEM32\halpum.exe
SAHAgent             6/30/2005 2:00:58 PM   35         C:\WINDOWS\SYSTEM32\havijo1d.ini
Umonitor             8/21/2005 8:27:32 PM   417792     C:\WINDOWS\SYSTEM32\iemui.dll
WinShutDown          8/21/2005 8:27:32 PM   417792     C:\WINDOWS\SYSTEM32\iemui.dll
aspack               8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
KavSvc               8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
69.59.186.63         8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
209.66.67.134        8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
web-nex              8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
yourkey              8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
Umonitor             11/3/1998 2:01:02 AM   324096     C:\WINDOWS\SYSTEM32\ipebase11.dll
SAHAgent             6/30/2005 9:25:36 PM   3132       C:\WINDOWS\SYSTEM32\l2r348ov.ini
UPX!                 1/13/2005 9:41:48 PM   11254      C:\WINDOWS\SYSTEM32\locate.com
UPX!                 8/21/2005 8:22:12 PM   121433     C:\WINDOWS\SYSTEM32\mc-110-12-0000079.exe
UPX!                 8/21/2005 8:21:06 PM   25105      C:\WINDOWS\SYSTEM32\MTE2ODM6ODoxNg.exe
Umonitor             8/22/2005 11:40:04 PM  417792     C:\WINDOWS\SYSTEM32\muricons.dll
WinShutDown          8/22/2005 11:40:04 PM  417792     C:\WINDOWS\SYSTEM32\muricons.dll
Umonitor             8/21/2005 10:00:32 PM  417792     C:\WINDOWS\SYSTEM32\nbdenb32.dll
WinShutDown          8/21/2005 10:00:32 PM  417792     C:\WINDOWS\SYSTEM32\nbdenb32.dll
Umonitor             8/21/2005 8:58:16 PM   417792     C:\WINDOWS\SYSTEM32\nbwdev.dll
WinShutDown          8/21/2005 8:58:16 PM   417792     C:\WINDOWS\SYSTEM32\nbwdev.dll
Umonitor             8/21/2005 10:00:50 PM  417792     C:\WINDOWS\SYSTEM32\nkrsda.dll
WinShutDown          8/21/2005 10:00:50 PM  417792     C:\WINDOWS\SYSTEM32\nkrsda.dll
aspack               8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
KavSvc               8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
69.59.186.63         8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
209.66.67.134        8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
testpopup            8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
web-nex              8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
yourkey              8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
Umonitor             8/21/2005 9:35:54 AM   417792     C:\WINDOWS\SYSTEM32\onpdx32.dll
WinShutDown          8/21/2005 9:35:54 AM   417792     C:\WINDOWS\SYSTEM32\onpdx32.dll
UPX!                 8/21/2005 8:26:50 PM   116381     C:\WINDOWS\SYSTEM32\Pop1A.exe
UPX!                 8/21/2005 8:09:48 PM   29696      C:\WINDOWS\SYSTEM32\PSof1.exe
Umonitor             8/21/2005 8:23:44 PM   417792     C:\WINDOWS\SYSTEM32\pzlstore.dll
WinShutDown          8/21/2005 8:23:44 PM   417792     C:\WINDOWS\SYSTEM32\pzlstore.dll
Umonitor             8/29/2002 8:00:00 AM   631808     C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack               8/21/2005 8:16:34 PM   28160      C:\WINDOWS\SYSTEM32\redit.cpl
Umonitor             8/21/2005 10:01:36 PM  417792     C:\WINDOWS\SYSTEM32\rPsapi32.dll
WinShutDown          8/21/2005 10:01:36 PM  417792     C:\WINDOWS\SYSTEM32\rPsapi32.dll
Umonitor             8/21/2005 10:08:54 PM  417792     C:\WINDOWS\SYSTEM32\sNfrcdlg.dll
WinShutDown          8/21/2005 10:08:54 PM  417792     C:\WINDOWS\SYSTEM32\sNfrcdlg.dll
aspack               8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
KavSvc               8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
69.59.186.63         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
209.66.67.134        8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
66.63.167.97         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
66.63.167.77         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
web-nex              8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
yourkey              8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
rec2_run             8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
UPX!                 8/21/2005 8:25:36 PM   223232     C:\WINDOWS\SYSTEM32\uci.exe
winsync              8/29/2002 8:00:00 AM   1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu
aspack               8/22/2005 10:48:04 PM  61952      C:\WINDOWS\SYSTEM32\wugky.dat

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S                    8/22/2005 11:39:38 PM  2048       C:\WINDOWS\bootstat.dat
H                    8/22/2005 11:37:58 PM  24         C:\WINDOWS\p1g0Y
SH                   8/21/2005 8:45:44 AM   637564     C:\WINDOWS\system32\8zj.dll
S                    8/21/2005 6:51:08 PM   417792     C:\WINDOWS\system32\guard.tmp
S                    8/21/2005 8:27:32 PM   417792     C:\WINDOWS\system32\iemui.dll
S                    8/22/2005 11:40:04 PM  417792     C:\WINDOWS\system32\muricons.dll
S                    8/21/2005 10:00:32 PM  417792     C:\WINDOWS\system32\nbdenb32.dll
S                    8/21/2005 8:58:16 PM   417792     C:\WINDOWS\system32\nbwdev.dll
S                    8/21/2005 10:00:50 PM  417792     C:\WINDOWS\system32\nkrsda.dll
S                    8/21/2005 9:35:54 AM   417792     C:\WINDOWS\system32\onpdx32.dll
S                    8/21/2005 8:23:44 PM   417792     C:\WINDOWS\system32\pzlstore.dll
S                    8/21/2005 10:01:36 PM  417792     C:\WINDOWS\system32\rPsapi32.dll
S                    8/21/2005 10:08:54 PM  417792     C:\WINDOWS\system32\sNfrcdlg.dll
S                    8/22/2005 10:46:58 PM  417792     C:\WINDOWS\system32\tnddd.dll
H                    8/22/2005 11:39:30 PM  8192       C:\WINDOWS\system32\config\default.LOG
H                    8/22/2005 11:39:54 PM  1024       C:\WINDOWS\system32\config\SAM.LOG
H                    8/22/2005 11:39:42 PM  12288      C:\WINDOWS\system32\config\SECURITY.LOG
H                    8/22/2005 11:40:50 PM  143360     C:\WINDOWS\system32\config\software.LOG
H                    8/22/2005 11:39:38 PM  1019904    C:\WINDOWS\system32\config\system.LOG
H                    8/8/2005 11:05:22 AM   1024       C:\WINDOWS\system32\config\userdiff.LOG
SH                   8/11/2005 10:18:20 PM  388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a65c4887-7a56-462f-a379-47f4c17c5e26
SH                   8/11/2005 10:18:20 PM  24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H                    8/15/2005 8:00:42 PM   39578      C:\WINDOWS\system32\spool\drivers\w32x86\3\lxblma.GID
SH                   8/22/2005 11:25:58 PM  190        C:\WINDOWS\Tasks\RUTASK.job
H                    8/22/2005 11:38:20 PM  6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          8/29/2002 8:00:00 AM   66048      C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp.    6/28/2003 12:40:32 AM  8606208    C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation          8/29/2002 8:00:00 AM   578560     C:\WINDOWS\SYSTEM32\appwiz.cpl
                               5/11/2001 1:00:00 AM   183808     C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   129024     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   150016     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Hewlett-Packard                1/26/1999 1:06:28 AM   25524      C:\WINDOWS\SYSTEM32\hpsctrlc.cpl
Intel Corporation              4/7/2003 10:14:30 AM   94208      C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   292352     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   121856     C:\WINDOWS\SYSTEM32\intl.cpl
InstallShield Software Corporation6/16/2004 7:03:30 AM   73728      C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   65536      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               2/20/2003 5:42:34 PM   229487     C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   559616     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   256000     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation             5/3/2003 2:19:00 AM    143360     C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   36864      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   109056     C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           9/23/2004 6:57:40 PM   323072     C:\WINDOWS\SYSTEM32\QuickTime.cpl
                               8/21/2005 8:16:34 PM   28160      C:\WINDOWS\SYSTEM32\redit.cpl
Softex, Inc                    2/21/2003 7:06:04 AM   32768      C:\WINDOWS\SYSTEM32\scurecpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   268288     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   90112      C:\WINDOWS\SYSTEM32\timedate.cpl
The Weather Channel Interactive4/6/2005 4:21:18 PM    3006464    C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   66048      C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   578560     C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   129024     C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   150016     C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   292352     C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   121856     C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   65536      C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   559616     C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   256000     C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   36864      C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   109056     C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   147456     C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   268288     C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   90112      C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation              4/7/2003 10:14:30 AM   94208      C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp.    6/28/2003 12:40:32 AM  8606208    C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     3/27/2004 2:54:38 PM   1903       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
                     11/27/2004 11:50:40 AM 729        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
                     11/27/2004 11:56:28 AM 1031       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
                     1/18/2005 10:51:12 PM  1738       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
                     7/24/2003 5:47:38 AM   675        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
aspack               8/21/2005 8:16:38 PM   61952      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\raui.exe
                     8/21/2005 8:16:38 PM   61952      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\raui.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
                     7/24/2003 5:53:24 AM   1715       C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
                     7/26/2003 4:57:50 AM   844        C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

Checking files in %USERPROFILE%\Application Data folder...
                     3/14/2005 7:50:12 PM   110120     C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
                     3/10/2005 3:51:34 PM   12358      C:\Documents and Settings\Owner\Application Data\PFP110JCM.{PB
                     3/10/2005 3:51:34 PM   61678      C:\Documents and Settings\Owner\Application Data\PFP110JPR.{PB
                     8/21/2005 8:14:32 PM   445676     C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
         = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    {75740AC3-4BF8-4B46-B9FD-0888D046D7DE}   = C:\WINDOWS\system32\tnddd.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
    {85BBD920-42A0-1069-A2E4-08002B30309D}   = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mysxkqsf
    {2c55ffab-b398-4bb8-b712-796434db7c9d}   = 
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OPShellE
    {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}   = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
    {85BBD920-42A0-1069-A2E4-08002B30309D}   = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\OPShellE
    {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}   = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
    {C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}   = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
    Band Class = C:\WINDOWS\dsr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2296428D-C133-4928-B76A-A200FF409572}
    XBTP07618 Class = C:\PROGRA~1\FREEPR~1\freeprod.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}
    LANBridge Class = C:\WINDOWS\System32\ylthpdta.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}
    ohb Class = C:\WINDOWS\System32\nsf5B.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}   = Freeprod Toolbar : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText     = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
    ButtonText   = MoneySide    : 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} =    : 
    {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} = sextension : C:\WINDOWS\Downloaded Program Files\sextension.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = Freeprod Toolbar   : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    hpsysdrv    c:\windows\system\hpsysdrv.exe
    HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
    KBD C:\HP\KBD\KBD.EXE
    StorageGuard    "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    Recguard    C:\WINDOWS\SMINST\RECGUARD.EXE
    NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz    nwiz.exe /installquiet /keeploaded /nodetect
    AlcxMonitor ALCXMNTR.EXE
    PS2 C:\WINDOWS\system32\ps2.exe
    QuickFinder Scheduler   "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    hplampc C:\WINDOWS\system32\hplampc.exe
    mmtask  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    Symantec NetDriver Monitor  C:\PROGRA~1\SYMNET~1\SNDMon.exe
    ISUSPM Startup  C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    AWMON   "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ccApp   "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    SSC_UserPrompt  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    ccRegVfy    "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    qbet    C:\WINDOWS\qbet.exe
    WildTangent CDA RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    WT GameChannel  C:\Program Files\WildTangent\Apps\GameChannel.exe
    wolzqqv C:\WINDOWS\System32\xmmdmwn.exe r

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    NVIEW   rundll32.exe nview.dll,nViewLoadHook
    MSMSGS  "C:\Program Files\Messenger\msmsgs.exe" /background
    Io02RRM3V   atrivs.exe
    kbdsp   C:\WINDOWS\System32\kbdsp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1
    undockwithoutlogon  1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    bgtxdii.exe C:\WINDOWS\system\bgtxdii.exe
    eiicupd.exe C:\WINDOWS\system\eiicupd.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINDOWS\system32\userinit.exe,
    Shell       = Explorer.exe C:\WINDOWS\Nail.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/22/2005 11:47:56 PM


And, here's the Track qoo report:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"AlcxMonitor"="ALCXMNTR.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"QuickFinder Scheduler"="\"c:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"hplampc"="C:\\WINDOWS\\system32\\hplampc.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~1\\Ad-Watch.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"ccRegVfy"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"qbet"="C:\\WINDOWS\\qbet.exe"
"WildTangent CDA"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mysxkqsf
{2c55ffab-b398-4bb8-b712-796434db7c9d}


Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- OPShellE
{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}
C:\Program Files\Softex\OmniPass\opshelle.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
KODAK Picture Transfer Software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Quicken Scheduled Updates.lnk
raui.exe
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
KODAK Picture Transfer Software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Quicken Scheduled Updates.lnk
raui.exe
Compaq Organize.lnk
desktop.ini
spamsubtract.lnk
==============================
C:\WINDOWS\system32 cpl files


access.cpl                    Microsoft Corporation
ALSNDMGR.CPL                  Realtek Semiconductor Corp.
appwiz.cpl                    Microsoft Corporation
bdeadmin.cpl                  Borland Software Corporation
desk.cpl                      Microsoft Corporation
hdwwiz.cpl                    Microsoft Corporation
hpsctrlc.cpl                  Hewlett-Packard
igfxcpl.cpl                   Intel Corporation
inetcpl.cpl                   Microsoft Corporation
intl.cpl                      Microsoft Corporation
ISUSPM.cpl                    InstallShield Software Corporation
joy.cpl                       Microsoft Corporation
jpicpl32.cpl                  Sun Microsystems
main.cpl                      Microsoft Corporation
mmsys.cpl                     Microsoft Corporation
ncpa.cpl                      Microsoft Corporation
nusrmgr.cpl                   Microsoft Corporation
nvtuicpl.cpl                  NVIDIA Corporation
odbccp32.cpl                  Microsoft Corporation
powercfg.cpl                  Microsoft Corporation
QuickTime.cpl                 Apple Computer, Inc.
redit.cpl                     
scurecpl.cpl                  Softex, Inc
sysdm.cpl                     Microsoft Corporation
telephon.cpl                  Microsoft Corporation
timedate.cpl                  Microsoft Corporation
wxfw.cpl                      The Weather Channel Interactive

thanks for help.....

Edited by mike_2000_17: Fixed formatting

0

It does not look like you ran option #2 in VX2 fix.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

==

Then please do the WinPFind and Track qoo scans again and post those logs back too.

0

I actually did run option 2....to be sure, I deleted the folder, downloaded a clean copy, and ran option 2 again......upon reboot I did notice the icons "blink" but it did not seem to keep scaning and Notepad did not open with a log...I found a log.txt file in the folder and that's what is pasted below along with the WinPFind and Track qoo logs......should there be another log file for l2mfix? thanks

L2MFIX

L2Mfix 1.04

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------       BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry
 - removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------       BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER



Setting up for Reboot


Starting Reboot!


WinPFind


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 1    Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com  12/31/2004 6:29:52 AM  3278       C:\WINDOWS\abiuninst.htm
aspack               11/28/2004 9:10:44 PM  1343999    C:\WINDOWS\Aurexkb.ehu
PTech                11/28/2004 9:10:44 PM  1343999    C:\WINDOWS\Aurexkb.ehu
UPX!                 11/28/2004 9:00:40 PM  255700     C:\WINDOWS\del.tmp
UPX!                 8/21/2005 10:03:30 PM  189859     C:\WINDOWS\dsr.exe
PTech                11/28/2004 9:10:52 PM  1073501    C:\WINDOWS\Flgczsswjyh.lzw
PEC2                 11/28/2004 9:10:40 PM  184535     C:\WINDOWS\Iingbqeu.aaw
PTech                11/28/2004 9:10:46 PM  483851     C:\WINDOWS\Iwwcitsg.dua
PECompact2           7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
qoologic             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
SAHAgent             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
web-nex              8/23/2005 9:19:16 PM   4254       C:\WINDOWS\mnrzv.dll
PEC2                 11/28/2004 9:10:42 PM  193869     C:\WINDOWS\Mxacorse.trv
UPX!                 6/13/2000 2:53:30 PM   52736      C:\WINDOWS\Nail.exe
UPX!                 2/9/2003 6:26:52 AM    79360      C:\WINDOWS\nqhpozgaz.exe
UPX!                 5/3/2005 11:44:44 AM   25157      C:\WINDOWS\RMAgentOutput.dll
UPX!                 12/12/2003 2:53:36 AM  6656       C:\WINDOWS\svcproc.exe
UPX!                 1/10/2005 4:17:24 PM   170053     C:\WINDOWS\tsc.exe
PECompact2           7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
qoologic             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
SAHAgent             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
UPX!                 2/18/2005 6:40:14 PM   1044560    C:\WINDOWS\vsapi32.dll
aspack               2/18/2005 6:40:14 PM   1044560    C:\WINDOWS\vsapi32.dll
PTech                11/28/2004 9:10:50 PM  1626626    C:\WINDOWS\Wpkrkcqrrjf.uwm

Checking %System% folder...
SAHAgent             6/30/2005 2:00:58 PM   35         C:\WINDOWS\SYSTEM32\9hk5g7bj.ini
UPX!                 8/21/2005 10:00:22 PM  94208      C:\WINDOWS\SYSTEM32\adlinstallwin32.exe
SAHAgent             8/8/2005 2:05:46 PM    796        C:\WINDOWS\SYSTEM32\atrc8parb.ini
aspack               8/22/2005 10:48:04 PM  7168       C:\WINDOWS\SYSTEM32\daxmqox.exe
PEC2                 8/29/2002 8:00:00 AM   41397      C:\WINDOWS\SYSTEM32\dfrg.msc
UPX!                 10/8/2004 11:44:14 AM  28160      C:\WINDOWS\SYSTEM32\DrPMon.dll
Umonitor             8/21/2005 6:51:08 PM   417792     C:\WINDOWS\SYSTEM32\guard.tmp
WinShutDown          8/21/2005 6:51:08 PM   417792     C:\WINDOWS\SYSTEM32\guard.tmp
aspack               8/22/2005 10:48:04 PM  61952      C:\WINDOWS\SYSTEM32\halpum.exe
SAHAgent             6/30/2005 2:00:58 PM   35         C:\WINDOWS\SYSTEM32\havijo1d.ini
Umonitor             8/21/2005 8:27:32 PM   417792     C:\WINDOWS\SYSTEM32\iemui.dll
WinShutDown          8/21/2005 8:27:32 PM   417792     C:\WINDOWS\SYSTEM32\iemui.dll
aspack               8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
KavSvc               8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
69.59.186.63         8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
209.66.67.134        8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
web-nex              8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
yourkey              8/22/2005 10:48:04 PM  9728       C:\WINDOWS\SYSTEM32\ikgsv.dll
Umonitor             11/3/1998 2:01:02 AM   324096     C:\WINDOWS\SYSTEM32\ipebase11.dll
SAHAgent             6/30/2005 9:25:36 PM   3132       C:\WINDOWS\SYSTEM32\l2r348ov.ini
UPX!                 1/13/2005 9:41:48 PM   11254      C:\WINDOWS\SYSTEM32\locate.com
UPX!                 8/21/2005 8:22:12 PM   121433     C:\WINDOWS\SYSTEM32\mc-110-12-0000079.exe
UPX!                 8/21/2005 8:21:06 PM   25105      C:\WINDOWS\SYSTEM32\MTE2ODM6ODoxNg.exe
Umonitor             8/21/2005 10:00:32 PM  417792     C:\WINDOWS\SYSTEM32\nbdenb32.dll
WinShutDown          8/21/2005 10:00:32 PM  417792     C:\WINDOWS\SYSTEM32\nbdenb32.dll
Umonitor             8/21/2005 8:58:16 PM   417792     C:\WINDOWS\SYSTEM32\nbwdev.dll
WinShutDown          8/21/2005 8:58:16 PM   417792     C:\WINDOWS\SYSTEM32\nbwdev.dll
Umonitor             8/21/2005 10:00:50 PM  417792     C:\WINDOWS\SYSTEM32\nkrsda.dll
WinShutDown          8/21/2005 10:00:50 PM  417792     C:\WINDOWS\SYSTEM32\nkrsda.dll
aspack               8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
KavSvc               8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
69.59.186.63         8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
209.66.67.134        8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
testpopup            8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
web-nex              8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
yourkey              8/22/2005 10:48:04 PM  27648      C:\WINDOWS\SYSTEM32\nkyicuy.dll
Umonitor             8/21/2005 9:35:54 AM   417792     C:\WINDOWS\SYSTEM32\onpdx32.dll
WinShutDown          8/21/2005 9:35:54 AM   417792     C:\WINDOWS\SYSTEM32\onpdx32.dll
UPX!                 8/21/2005 8:26:50 PM   116381     C:\WINDOWS\SYSTEM32\Pop1A.exe
UPX!                 8/21/2005 8:09:48 PM   29696      C:\WINDOWS\SYSTEM32\PSof1.exe
Umonitor             8/21/2005 8:23:44 PM   417792     C:\WINDOWS\SYSTEM32\pzlstore.dll
WinShutDown          8/21/2005 8:23:44 PM   417792     C:\WINDOWS\SYSTEM32\pzlstore.dll
Umonitor             8/29/2002 8:00:00 AM   631808     C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack               8/21/2005 8:16:34 PM   28160      C:\WINDOWS\SYSTEM32\redit.cpl
Umonitor             8/21/2005 10:01:36 PM  417792     C:\WINDOWS\SYSTEM32\rPsapi32.dll
WinShutDown          8/21/2005 10:01:36 PM  417792     C:\WINDOWS\SYSTEM32\rPsapi32.dll
Umonitor             8/21/2005 10:08:54 PM  417792     C:\WINDOWS\SYSTEM32\sNfrcdlg.dll
WinShutDown          8/21/2005 10:08:54 PM  417792     C:\WINDOWS\SYSTEM32\sNfrcdlg.dll
aspack               8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
KavSvc               8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
69.59.186.63         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
209.66.67.134        8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
66.63.167.97         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
66.63.167.77         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
web-nex              8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
yourkey              8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
rec2_run             8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
UPX!                 8/21/2005 8:25:36 PM   223232     C:\WINDOWS\SYSTEM32\uci.exe
Umonitor             8/23/2005 9:19:00 PM   417792     C:\WINDOWS\SYSTEM32\uoiplat.dll
WinShutDown          8/23/2005 9:19:00 PM   417792     C:\WINDOWS\SYSTEM32\uoiplat.dll
winsync              8/29/2002 8:00:00 AM   1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu
aspack               8/22/2005 10:48:04 PM  61952      C:\WINDOWS\SYSTEM32\wugky.dat

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S                    8/23/2005 9:18:52 PM   2048       C:\WINDOWS\bootstat.dat
H                    8/23/2005 9:31:22 PM   24         C:\WINDOWS\p1g0Y
SH                   8/21/2005 8:45:44 AM   637564     C:\WINDOWS\system32\8zj.dll
S                    8/21/2005 6:51:08 PM   417792     C:\WINDOWS\system32\guard.tmp
S                    8/21/2005 8:27:32 PM   417792     C:\WINDOWS\system32\iemui.dll
S                    8/21/2005 10:00:32 PM  417792     C:\WINDOWS\system32\nbdenb32.dll
S                    8/21/2005 8:58:16 PM   417792     C:\WINDOWS\system32\nbwdev.dll
S                    8/21/2005 10:00:50 PM  417792     C:\WINDOWS\system32\nkrsda.dll
S                    8/21/2005 9:35:54 AM   417792     C:\WINDOWS\system32\onpdx32.dll
S                    8/21/2005 8:23:44 PM   417792     C:\WINDOWS\system32\pzlstore.dll
S                    8/21/2005 10:01:36 PM  417792     C:\WINDOWS\system32\rPsapi32.dll
S                    8/21/2005 10:08:54 PM  417792     C:\WINDOWS\system32\sNfrcdlg.dll
S                    8/22/2005 10:46:58 PM  417792     C:\WINDOWS\system32\tnddd.dll
S                    8/23/2005 9:19:00 PM   417792     C:\WINDOWS\system32\uoiplat.dll
H                    8/23/2005 9:23:04 PM   1024       C:\WINDOWS\system32\config\default.LOG
H                    8/23/2005 9:18:54 PM   1024       C:\WINDOWS\system32\config\SAM.LOG
H                    8/23/2005 9:20:04 PM   1024       C:\WINDOWS\system32\config\SECURITY.LOG
H                    8/23/2005 9:29:30 PM   1024       C:\WINDOWS\system32\config\software.LOG
H                    8/23/2005 9:24:56 PM   1024       C:\WINDOWS\system32\config\system.LOG
H                    8/8/2005 11:05:22 AM   1024       C:\WINDOWS\system32\config\userdiff.LOG
SH                   8/11/2005 10:18:20 PM  388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a65c4887-7a56-462f-a379-47f4c17c5e26
SH                   8/11/2005 10:18:20 PM  24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H                    8/15/2005 8:00:42 PM   39578      C:\WINDOWS\system32\spool\drivers\w32x86\3\lxblma.GID
SH                   8/23/2005 9:19:14 PM   190        C:\WINDOWS\Tasks\RUTASK.job
H                    8/23/2005 9:19:12 PM   6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          8/29/2002 8:00:00 AM   66048      C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp.    6/28/2003 12:40:32 AM  8606208    C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation          8/29/2002 8:00:00 AM   578560     C:\WINDOWS\SYSTEM32\appwiz.cpl
                               5/11/2001 1:00:00 AM   183808     C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   129024     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   150016     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Hewlett-Packard                1/26/1999 1:06:28 AM   25524      C:\WINDOWS\SYSTEM32\hpsctrlc.cpl
Intel Corporation              4/7/2003 10:14:30 AM   94208      C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   292352     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   121856     C:\WINDOWS\SYSTEM32\intl.cpl
InstallShield Software Corporation6/16/2004 7:03:30 AM   73728      C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   65536      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               2/20/2003 5:42:34 PM   229487     C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   559616     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   256000     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation             5/3/2003 2:19:00 AM    143360     C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   36864      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   109056     C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           9/23/2004 6:57:40 PM   323072     C:\WINDOWS\SYSTEM32\QuickTime.cpl
                               8/21/2005 8:16:34 PM   28160      C:\WINDOWS\SYSTEM32\redit.cpl
Softex, Inc                    2/21/2003 7:06:04 AM   32768      C:\WINDOWS\SYSTEM32\scurecpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   268288     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   90112      C:\WINDOWS\SYSTEM32\timedate.cpl
The Weather Channel Interactive4/6/2005 4:21:18 PM    3006464    C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   66048      C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   578560     C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   129024     C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   150016     C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   292352     C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   121856     C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   65536      C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   559616     C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   256000     C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   36864      C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   109056     C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   147456     C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   268288     C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   90112      C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation              4/7/2003 10:14:30 AM   94208      C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp.    6/28/2003 12:40:32 AM  8606208    C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     3/27/2004 2:54:38 PM   1903       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
                     11/27/2004 11:50:40 AM 729        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
                     11/27/2004 11:56:28 AM 1031       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
                     1/18/2005 10:51:12 PM  1738       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
                     7/24/2003 5:47:38 AM   675        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
aspack               8/21/2005 8:16:38 PM   61952      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\raui.exe
                     8/21/2005 8:16:38 PM   61952      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\raui.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
                     7/24/2003 5:53:24 AM   1715       C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
                     7/26/2003 4:57:50 AM   844        C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

Checking files in %USERPROFILE%\Application Data folder...
                     3/14/2005 7:50:12 PM   110120     C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
                     3/10/2005 3:51:34 PM   12358      C:\Documents and Settings\Owner\Application Data\PFP110JCM.{PB
                     3/10/2005 3:51:34 PM   61678      C:\Documents and Settings\Owner\Application Data\PFP110JPR.{PB
                     8/21/2005 8:14:32 PM   445676     C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
         = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    {75740AC3-4BF8-4B46-B9FD-0888D046D7DE}   = C:\WINDOWS\system32\tnddd.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
    {85BBD920-42A0-1069-A2E4-08002B30309D}   = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mysxkqsf
    {2c55ffab-b398-4bb8-b712-796434db7c9d}   = 
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OPShellE
    {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}   = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
    {85BBD920-42A0-1069-A2E4-08002B30309D}   = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\OPShellE
    {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}   = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
    {C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}   = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
    Band Class = C:\WINDOWS\dsr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2296428D-C133-4928-B76A-A200FF409572}
    XBTP07618 Class = C:\PROGRA~1\FREEPR~1\freeprod.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}
    LANBridge Class = C:\WINDOWS\System32\ylthpdta.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}
    ohb Class = C:\WINDOWS\System32\nsf5B.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}   = Freeprod Toolbar : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText     = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
    ButtonText   = MoneySide    : 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} =    : 
    {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} = sextension : C:\WINDOWS\Downloaded Program Files\sextension.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = Freeprod Toolbar   : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    hpsysdrv    c:\windows\system\hpsysdrv.exe
    HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
    KBD C:\HP\KBD\KBD.EXE
    StorageGuard    "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    Recguard    C:\WINDOWS\SMINST\RECGUARD.EXE
    NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz    nwiz.exe /installquiet /keeploaded /nodetect
    AlcxMonitor ALCXMNTR.EXE
    PS2 C:\WINDOWS\system32\ps2.exe
    QuickFinder Scheduler   "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    hplampc C:\WINDOWS\system32\hplampc.exe
    mmtask  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    Symantec NetDriver Monitor  C:\PROGRA~1\SYMNET~1\SNDMon.exe
    ISUSPM Startup  C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    AWMON   "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ccApp   "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    SSC_UserPrompt  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    ccRegVfy    "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    qbet    C:\WINDOWS\qbet.exe
    WildTangent CDA RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    WT GameChannel  C:\Program Files\WildTangent\Apps\GameChannel.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    NVIEW   rundll32.exe nview.dll,nViewLoadHook
    MSMSGS  "C:\Program Files\Messenger\msmsgs.exe" /background
    Io02RRM3V   atrivs.exe
    kbdsp   C:\WINDOWS\System32\kbdsp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1
    undockwithoutlogon  1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    bgtxdii.exe C:\WINDOWS\system\bgtxdii.exe
    eiicupd.exe C:\WINDOWS\system\eiicupd.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINDOWS\system32\userinit.exe,
    Shell       = Explorer.exe C:\WINDOWS\Nail.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/23/2005 9:32:02 PM


Track qoo



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"AlcxMonitor"="ALCXMNTR.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"QuickFinder Scheduler"="\"c:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"hplampc"="C:\\WINDOWS\\system32\\hplampc.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~1\\Ad-Watch.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"ccRegVfy"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"qbet"="C:\\WINDOWS\\qbet.exe"
"WildTangent CDA"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mysxkqsf
{2c55ffab-b398-4bb8-b712-796434db7c9d}


Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- OPShellE
{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}
C:\Program Files\Softex\OmniPass\opshelle.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
KODAK Picture Transfer Software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Quicken Scheduled Updates.lnk
raui.exe
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
KODAK Picture Transfer Software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Quicken Scheduled Updates.lnk
raui.exe
Compaq Organize.lnk
desktop.ini
spamsubtract.lnk
==============================
C:\WINDOWS\system32 cpl files


access.cpl                    Microsoft Corporation
ALSNDMGR.CPL                  Realtek Semiconductor Corp.
appwiz.cpl                    Microsoft Corporation
bdeadmin.cpl                  Borland Software Corporation
desk.cpl                      Microsoft Corporation
hdwwiz.cpl                    Microsoft Corporation
hpsctrlc.cpl                  Hewlett-Packard
igfxcpl.cpl                   Intel Corporation
inetcpl.cpl                   Microsoft Corporation
intl.cpl                      Microsoft Corporation
ISUSPM.cpl                    InstallShield Software Corporation
joy.cpl                       Microsoft Corporation
jpicpl32.cpl                  Sun Microsystems
main.cpl                      Microsoft Corporation
mmsys.cpl                     Microsoft Corporation
ncpa.cpl                      Microsoft Corporation
nusrmgr.cpl                   Microsoft Corporation
nvtuicpl.cpl                  NVIDIA Corporation
odbccp32.cpl                  Microsoft Corporation
powercfg.cpl                  Microsoft Corporation
QuickTime.cpl                 Apple Computer, Inc.
redit.cpl                     
scurecpl.cpl                  Softex, Inc
sysdm.cpl                     Microsoft Corporation
telephon.cpl                  Microsoft Corporation
timedate.cpl                  Microsoft Corporation
wxfw.cpl                      The Weather Channel Interactive

Edited by mike_2000_17: Fixed formatting

0

Looks like something is not working correctly :(. L2MFIX should have cleaned up most of the files I am seeing above.
The log you posted from L2MFIX is nowhere near a complete log. It should show all of the files it has removed, registry entries changed etc.
Please check again for the complete log and post it back here.

==

Download these two tools:

http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare by clicking the "Run Locate.com" then click Compare button... when done post that log here.

0

Found out the problem with the L2MFIX log! I have Lavasoft's Ad-Watch running on start-up and it blocked the pop-up screen. :o I stopped it and ran the L2MFIX (option 2) - see the log below. I also ran the DLL compare tool and that log is below as well. I had already downloaded the KillBox.exe from a previous thread; I did not run it at all since there was no suggestion....correct? thanks for the help

L2MFIX Log

L2Mfix 1.04

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------       BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
 - adding new ACCESS DENY entry
 - removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI)    DENY   --C-------       BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix 
System Rebooted! 

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'
Killing PID 1068 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 1248 'rundll32.exe'
Killing PID 1844 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed 

Second Pass Scanning 

Second pass Completed!
Backing Up: C:\WINDOWS\system32\iemui.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iemui.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbdenb32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbdenb32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbwdev.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbwdev.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nkrsda.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nkrsda.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\onpdx32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\onpdx32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pzlstore.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\pzlstore.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rPsapi32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rPsapi32.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sNfrcdlg.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sNfrcdlg.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ufiime.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ufiime.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uoiplat.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uoiplat.dll
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
        1 file(s) copied.
deleting: C:\WINDOWS\system32\iemui.dll  
Successfully Deleted: C:\WINDOWS\system32\iemui.dll
deleting: C:\WINDOWS\system32\iemui.dll  
Successfully Deleted: C:\WINDOWS\system32\iemui.dll
deleting: C:\WINDOWS\system32\nbdenb32.dll  
Successfully Deleted: C:\WINDOWS\system32\nbdenb32.dll
deleting: C:\WINDOWS\system32\nbdenb32.dll  
Successfully Deleted: C:\WINDOWS\system32\nbdenb32.dll
deleting: C:\WINDOWS\system32\nbwdev.dll  
Successfully Deleted: C:\WINDOWS\system32\nbwdev.dll
deleting: C:\WINDOWS\system32\nbwdev.dll  
Successfully Deleted: C:\WINDOWS\system32\nbwdev.dll
deleting: C:\WINDOWS\system32\nkrsda.dll  
Successfully Deleted: C:\WINDOWS\system32\nkrsda.dll
deleting: C:\WINDOWS\system32\nkrsda.dll  
Successfully Deleted: C:\WINDOWS\system32\nkrsda.dll
deleting: C:\WINDOWS\system32\onpdx32.dll  
Successfully Deleted: C:\WINDOWS\system32\onpdx32.dll
deleting: C:\WINDOWS\system32\onpdx32.dll  
Successfully Deleted: C:\WINDOWS\system32\onpdx32.dll
deleting: C:\WINDOWS\system32\pzlstore.dll  
Successfully Deleted: C:\WINDOWS\system32\pzlstore.dll
deleting: C:\WINDOWS\system32\pzlstore.dll  
Successfully Deleted: C:\WINDOWS\system32\pzlstore.dll
deleting: C:\WINDOWS\system32\rPsapi32.dll  
Successfully Deleted: C:\WINDOWS\system32\rPsapi32.dll
deleting: C:\WINDOWS\system32\rPsapi32.dll  
Successfully Deleted: C:\WINDOWS\system32\rPsapi32.dll
deleting: C:\WINDOWS\system32\sNfrcdlg.dll  
Successfully Deleted: C:\WINDOWS\system32\sNfrcdlg.dll
deleting: C:\WINDOWS\system32\sNfrcdlg.dll  
Successfully Deleted: C:\WINDOWS\system32\sNfrcdlg.dll
deleting: C:\WINDOWS\system32\ufiime.dll  
Successfully Deleted: C:\WINDOWS\system32\ufiime.dll
deleting: C:\WINDOWS\system32\ufiime.dll  
Successfully Deleted: C:\WINDOWS\system32\ufiime.dll
deleting: C:\WINDOWS\system32\uoiplat.dll  
Successfully Deleted: C:\WINDOWS\system32\uoiplat.dll
deleting: C:\WINDOWS\system32\uoiplat.dll  
Successfully Deleted: C:\WINDOWS\system32\uoiplat.dll
deleting: C:\WINDOWS\system32\guard.tmp  
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp  
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
  adding: iemui.dll (140 bytes security) (deflated 48%)
  adding: nbdenb32.dll (140 bytes security) (deflated 48%)
  adding: nbwdev.dll (140 bytes security) (deflated 48%)
  adding: nkrsda.dll (140 bytes security) (deflated 48%)
  adding: onpdx32.dll (140 bytes security) (deflated 48%)
  adding: pzlstore.dll (140 bytes security) (deflated 48%)
  adding: rPsapi32.dll (140 bytes security) (deflated 48%)
  adding: sNfrcdlg.dll (140 bytes security) (deflated 48%)
  adding: ufiime.dll (140 bytes security) (deflated 48%)
  adding: uoiplat.dll (140 bytes security) (deflated 48%)
  adding: guard.tmp (140 bytes security) (deflated 48%)
  adding: clear.reg (140 bytes security) (deflated 22%)
  adding: echo.reg (140 bytes security) (deflated 9%)
  adding: direct.txt (140 bytes security) (stored 0%)
  adding: lo2.txt (140 bytes security) (deflated 85%)
  adding: readme.txt (140 bytes security) (deflated 52%)
  adding: test.txt (140 bytes security) (deflated 86%)
  adding: test2.txt (140 bytes security) (stored 0%)
  adding: test3.txt (140 bytes security) (stored 0%)
  adding: test5.txt (140 bytes security) (stored 0%)
  adding: xfind.txt (140 bytes security) (deflated 82%)
  adding: backregs/75740AC3-4BF8-4B46-B9FD-0888D046D7DE.reg (140 bytes security) (deflated 70%)
  adding: backregs/notibac.reg (140 bytes security) (deflated 87%)
  adding: backregs/shell.reg (140 bytes security) (deflated 73%)

Restoring Registry Permissions: 


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software ([url]http://www.heysoft.de[/url])
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Read         BUILTIN\Users
(ID-IO) ALLOW  Read         BUILTIN\Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  CREATOR OWNER


Restoring Sedebugprivilege:

 Granting SeDebugPrivilege to Administrators   ... successful

Restoring Windows Update Certificates.:

deleting local copy: iemui.dll   
deleting local copy: iemui.dll   
deleting local copy: nbdenb32.dll   
deleting local copy: nbdenb32.dll   
deleting local copy: nbwdev.dll   
deleting local copy: nbwdev.dll   
deleting local copy: nkrsda.dll   
deleting local copy: nkrsda.dll   
deleting local copy: onpdx32.dll   
deleting local copy: onpdx32.dll   
deleting local copy: pzlstore.dll   
deleting local copy: pzlstore.dll   
deleting local copy: rPsapi32.dll   
deleting local copy: rPsapi32.dll   
deleting local copy: sNfrcdlg.dll   
deleting local copy: sNfrcdlg.dll   
deleting local copy: ufiime.dll   
deleting local copy: ufiime.dll   
deleting local copy: uoiplat.dll   
deleting local copy: uoiplat.dll   
deleting local copy: guard.tmp   
deleting local copy: guard.tmp   

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found: 
****************************************************************************
C:\WINDOWS\system32\iemui.dll 
C:\WINDOWS\system32\iemui.dll 
C:\WINDOWS\system32\nbdenb32.dll 
C:\WINDOWS\system32\nbdenb32.dll 
C:\WINDOWS\system32\nbwdev.dll 
C:\WINDOWS\system32\nbwdev.dll 
C:\WINDOWS\system32\nkrsda.dll 
C:\WINDOWS\system32\nkrsda.dll 
C:\WINDOWS\system32\onpdx32.dll 
C:\WINDOWS\system32\onpdx32.dll 
C:\WINDOWS\system32\pzlstore.dll 
C:\WINDOWS\system32\pzlstore.dll 
C:\WINDOWS\system32\rPsapi32.dll 
C:\WINDOWS\system32\rPsapi32.dll 
C:\WINDOWS\system32\sNfrcdlg.dll 
C:\WINDOWS\system32\sNfrcdlg.dll 
C:\WINDOWS\system32\ufiime.dll 
C:\WINDOWS\system32\ufiime.dll 
C:\WINDOWS\system32\uoiplat.dll 
C:\WINDOWS\system32\uoiplat.dll 
C:\WINDOWS\system32\guard.tmp 
C:\WINDOWS\system32\guard.tmp 

Registry Entries that were Deleted: 
Please verify that the listing looks ok.  
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{75740AC3-4BF8-4B46-B9FD-0888D046D7DE}"=-
[-HKEY_CLASSES_ROOT\CLSID\{75740AC3-4BF8-4B46-B9FD-0888D046D7DE}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
****************************************************************************



DLL Compare Log

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\8zj.dll        Sun Aug 21 2005   8:45:44a  ..SHR        637,564   622.62 K
C:\WINDOWS\SYSTEM32\msexcl35.dll   Thu Sep  9 1999  11:06:38p  A.S..        252,688   246.77 K
C:\WINDOWS\SYSTEM32\msjet35.dll    Tue Sep 28 1999  10:42:48p  A.S..      1,050,896     1.00 M
C:\WINDOWS\SYSTEM32\msltus35.dll   Thu Sep  9 1999  11:06:38p  A.S..        168,720   164.77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll   Mon Jun  7 1999   7:59:34p  A.S..        250,128   244.27 K
C:\WINDOWS\SYSTEM32\msrd2x35.dll   Sun Apr 25 1999   6:00:00p  A.S..        252,176   246.27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll   Wed Aug 25 1999   3:57:26p  A.S..        415,504   405.77 K
C:\WINDOWS\SYSTEM32\mstext35.dll   Thu Sep 30 1999   8:21:24p  A.S..        166,672   162.77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll   Sun Apr 25 1999   6:00:00p  A.S..        287,504   280.77 K
C:\WINDOWS\SYSTEM32\tnddd.dll      Mon Aug 22 2005  10:46:58p  ..S.R        417,792   408.00 K
C:\WINDOWS\SYSTEM32\vbar332.dll    Sun Apr 25 1999   6:00:00p  A.S..        368,912   360.27 K
________________________________________________

1,356 items found:  1,356 files (11 H/S), 0 directories.
Total of file sizes:  300,878,464 bytes    286.94 M

Administrator Account =  True

--------------------End log---------------------


 :o

Edited by mike_2000_17: Fixed formatting

0

That's better :). Done well. You will likely have more to remove now, but I would say the bulk of the nasties have been removed.

==

Please go to Jotti's and have these files scanned. Post the results back here.

C:\WINDOWS\SYSTEM32\8zj.dll
C:\WINDOWS\SYSTEM32\tnddd.dll

==

Run WinPFind and Track qoo again and post the logs back please.

0

Progress! thanks....

Here's the Jotti logs:

Service load:  0%        100%  

File:  8zj.dll  
Status:  POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)  
MD5  812750eb428fd2fa1b3a86b95e8d4562  
Packers detected:  - 
Scanner results  
AntiVir  Found TR/Delf.CF.1  
ArcaVir  Found nothing 
Avast  Found Win32:Trojano-1239  
AVG Antivirus  Found nothing 
BitDefender  Found nothing 
ClamAV  Found Trojan.W32.Kolweb  
Dr.Web  Found nothing 
F-Prot Antivirus  Found nothing 
Fortinet  Found nothing 
Kaspersky Anti-Virus  Found nothing 
NOD32  Found nothing 
Norman Virus Control  Found nothing 
UNA  Found nothing 
VBA32  Found nothing 


Service load:  0%        100%  

File:  tnddd.dll  
Status:  INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.) 
MD5  abee697ce51cb28d3f83bf9c6e097a6a  
Packers detected:  - 
Scanner results  
AntiVir  Found nothing 
ArcaVir  Found nothing 
Avast  Found nothing 
AVG Antivirus  Found Generic.JV  
BitDefender  Found Application.Adware.Look2Me.AG  
ClamAV  Found Adware.Lookme-2  
Dr.Web  Found not a virus Adware.Ican  
F-Prot Antivirus  Found W32/Trojan.VP  
Fortinet  Found W32/VeryLince.A-tr  
Kaspersky Anti-Virus  Found not-a-virus:AdWare.Look2Me.ag  
NOD32  Found Win32/Adware.Look2Me application  
Norman Virus Control  Found nothing 
UNA  Found nothing 
VBA32  Found AdWare.Look2Me.ag  

Powered by  


Powered by  

here's the WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 1    Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com  12/31/2004 6:29:52 AM  3278       C:\WINDOWS\abiuninst.htm
aspack               11/28/2004 9:10:44 PM  1343999    C:\WINDOWS\Aurexkb.ehu
PTech                11/28/2004 9:10:44 PM  1343999    C:\WINDOWS\Aurexkb.ehu
UPX!                 11/28/2004 9:00:40 PM  255700     C:\WINDOWS\del.tmp
UPX!                 8/21/2005 10:03:30 PM  189859     C:\WINDOWS\dsr.exe
PTech                11/28/2004 9:10:52 PM  1073501    C:\WINDOWS\Flgczsswjyh.lzw
PEC2                 11/28/2004 9:10:40 PM  184535     C:\WINDOWS\Iingbqeu.aaw
PTech                11/28/2004 9:10:46 PM  483851     C:\WINDOWS\Iwwcitsg.dua
PECompact2           7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
qoologic             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
SAHAgent             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\lpt$vpn.719
PEC2                 11/28/2004 9:10:42 PM  193869     C:\WINDOWS\Mxacorse.trv
UPX!                 6/13/2000 2:53:30 PM   52736      C:\WINDOWS\Nail.exe
UPX!                 2/9/2003 6:26:52 AM    79360      C:\WINDOWS\nqhpozgaz.exe
UPX!                 5/3/2005 11:44:44 AM   25157      C:\WINDOWS\RMAgentOutput.dll
UPX!                 12/12/2003 2:53:36 AM  6656       C:\WINDOWS\svcproc.exe
UPX!                 1/10/2005 4:17:24 PM   170053     C:\WINDOWS\tsc.exe
PECompact2           7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
qoologic             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
SAHAgent             7/7/2005 7:44:40 AM    15329059   C:\WINDOWS\VPTNFILE.719
UPX!                 2/18/2005 6:40:14 PM   1044560    C:\WINDOWS\vsapi32.dll
aspack               2/18/2005 6:40:14 PM   1044560    C:\WINDOWS\vsapi32.dll
PTech                11/28/2004 9:10:50 PM  1626626    C:\WINDOWS\Wpkrkcqrrjf.uwm

Checking %System% folder...
SAHAgent             6/30/2005 2:00:58 PM   35         C:\WINDOWS\SYSTEM32\9hk5g7bj.ini
UPX!                 8/21/2005 10:00:22 PM  94208      C:\WINDOWS\SYSTEM32\adlinstallwin32.exe
SAHAgent             8/8/2005 2:05:46 PM    796        C:\WINDOWS\SYSTEM32\atrc8parb.ini
PEC2                 8/29/2002 8:00:00 AM   41397      C:\WINDOWS\SYSTEM32\dfrg.msc
UPX!                 10/8/2004 11:44:14 AM  28160      C:\WINDOWS\SYSTEM32\DrPMon.dll
SAHAgent             6/30/2005 2:00:58 PM   35         C:\WINDOWS\SYSTEM32\havijo1d.ini
Umonitor             11/3/1998 2:01:02 AM   324096     C:\WINDOWS\SYSTEM32\ipebase11.dll
SAHAgent             6/30/2005 9:25:36 PM   3132       C:\WINDOWS\SYSTEM32\l2r348ov.ini
UPX!                 8/21/2005 8:22:12 PM   121433     C:\WINDOWS\SYSTEM32\mc-110-12-0000079.exe
UPX!                 8/21/2005 8:21:06 PM   25105      C:\WINDOWS\SYSTEM32\MTE2ODM6ODoxNg.exe
UPX!                 8/21/2005 8:26:50 PM   116381     C:\WINDOWS\SYSTEM32\Pop1A.exe
UPX!                 8/21/2005 8:09:48 PM   29696      C:\WINDOWS\SYSTEM32\PSof1.exe
Umonitor             8/29/2002 8:00:00 AM   631808     C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack               8/21/2005 8:16:34 PM   28160      C:\WINDOWS\SYSTEM32\redit.cpl
aspack               8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
KavSvc               8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
69.59.186.63         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
209.66.67.134        8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
66.63.167.97         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
66.63.167.77         8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
web-nex              8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
yourkey              8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
rec2_run             8/21/2005 8:16:32 PM   29184      C:\WINDOWS\SYSTEM32\supdate.dll
Umonitor             8/22/2005 10:46:58 PM  417792     C:\WINDOWS\SYSTEM32\tnddd.dll
WinShutDown          8/22/2005 10:46:58 PM  417792     C:\WINDOWS\SYSTEM32\tnddd.dll
UPX!                 8/21/2005 8:25:36 PM   223232     C:\WINDOWS\SYSTEM32\uci.exe
winsync              8/29/2002 8:00:00 AM   1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu
aspack               8/22/2005 10:48:04 PM  61952      C:\WINDOWS\SYSTEM32\wugky.dat

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S                    8/25/2005 10:01:44 PM  2048       C:\WINDOWS\bootstat.dat
H                    8/25/2005 10:23:26 PM  24         C:\WINDOWS\p1g0Y
SH                   8/21/2005 8:45:44 AM   637564     C:\WINDOWS\system32\8zj.dll
S                    8/22/2005 10:46:58 PM  417792     C:\WINDOWS\system32\tnddd.dll
H                    8/25/2005 10:05:38 PM  1024       C:\WINDOWS\system32\config\default.LOG
H                    8/25/2005 10:01:46 PM  1024       C:\WINDOWS\system32\config\SAM.LOG
H                    8/25/2005 10:02:46 PM  1024       C:\WINDOWS\system32\config\SECURITY.LOG
H                    8/25/2005 10:23:12 PM  1024       C:\WINDOWS\system32\config\software.LOG
H                    8/25/2005 10:10:12 PM  1024       C:\WINDOWS\system32\config\system.LOG
H                    8/8/2005 11:05:22 AM   1024       C:\WINDOWS\system32\config\userdiff.LOG
SH                   8/11/2005 10:18:20 PM  388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\a65c4887-7a56-462f-a379-47f4c17c5e26
SH                   8/11/2005 10:18:20 PM  24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H                    8/15/2005 8:00:42 PM   39578      C:\WINDOWS\system32\spool\drivers\w32x86\3\lxblma.GID
SH                   8/25/2005 10:02:10 PM  190        C:\WINDOWS\Tasks\RUTASK.job
H                    8/25/2005 10:02:06 PM  6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          8/29/2002 8:00:00 AM   66048      C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp.    6/28/2003 12:40:32 AM  8606208    C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation          8/29/2002 8:00:00 AM   578560     C:\WINDOWS\SYSTEM32\appwiz.cpl
                               5/11/2001 1:00:00 AM   183808     C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   129024     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   150016     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Hewlett-Packard                1/26/1999 1:06:28 AM   25524      C:\WINDOWS\SYSTEM32\hpsctrlc.cpl
Intel Corporation              4/7/2003 10:14:30 AM   94208      C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   292352     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   121856     C:\WINDOWS\SYSTEM32\intl.cpl
InstallShield Software Corporation6/16/2004 7:03:30 AM   73728      C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   65536      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               2/20/2003 5:42:34 PM   229487     C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   559616     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   256000     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation             5/3/2003 2:19:00 AM    143360     C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   36864      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   109056     C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           9/23/2004 6:57:40 PM   323072     C:\WINDOWS\SYSTEM32\QuickTime.cpl
                               8/21/2005 8:16:34 PM   28160      C:\WINDOWS\SYSTEM32\redit.cpl
Softex, Inc                    2/21/2003 7:06:04 AM   32768      C:\WINDOWS\SYSTEM32\scurecpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   268288     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   90112      C:\WINDOWS\SYSTEM32\timedate.cpl
The Weather Channel Interactive4/6/2005 4:21:18 PM    3006464    C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   66048      C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   578560     C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   129024     C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   150016     C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   292352     C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   121856     C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   65536      C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   559616     C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   256000     C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   36864      C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   109056     C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   147456     C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   268288     C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          8/29/2002 8:00:00 AM   90112      C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation              4/7/2003 10:14:30 AM   94208      C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp.    6/28/2003 12:40:32 AM  8606208    C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     3/27/2004 2:54:38 PM   1903       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
                     11/27/2004 11:50:40 AM 729        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Picture Transfer Software.lnk
                     11/27/2004 11:56:28 AM 1031       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
                     1/18/2005 10:51:12 PM  1738       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
                     7/24/2003 5:47:38 AM   675        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
                     7/24/2003 5:53:24 AM   1715       C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
                     7/26/2003 4:57:50 AM   844        C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk

Checking files in %USERPROFILE%\Application Data folder...
                     3/14/2005 7:50:12 PM   110120     C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
                     3/10/2005 3:51:34 PM   12358      C:\Documents and Settings\Owner\Application Data\PFP110JCM.{PB
                     3/10/2005 3:51:34 PM   61678      C:\Documents and Settings\Owner\Application Data\PFP110JPR.{PB
                     8/21/2005 8:14:32 PM   445676     C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
    {85BBD920-42A0-1069-A2E4-08002B30309D}   = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mysxkqsf
    {2c55ffab-b398-4bb8-b712-796434db7c9d}   = 
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\OPShellE
    {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}   = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
    {85BBD920-42A0-1069-A2E4-08002B30309D}   = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
    {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\OPShellE
    {CCFE56EE-C7DE-44EE-A160-4553A5A912C9}   = C:\Program Files\Softex\OmniPass\opshelle.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
    {C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}   = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00F1D395-4744-40f0-A611-980F61AE2C59}
    Band Class = C:\WINDOWS\dsr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2296428D-C133-4928-B76A-A200FF409572}
    XBTP07618 Class = C:\PROGRA~1\FREEPR~1\freeprod.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}
    LANBridge Class = C:\WINDOWS\System32\ylthpdta.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}
    ohb Class = C:\WINDOWS\System32\nsf5B.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}   = Freeprod Toolbar : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText     = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
    ButtonText   = MoneySide    : 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} =    : 
    {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} = sextension : C:\WINDOWS\Downloaded Program Files\sextension.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = Freeprod Toolbar   : C:\Program Files\Freeprod Toolbar\freeprod.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    hpsysdrv    c:\windows\system\hpsysdrv.exe
    HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
    KBD C:\HP\KBD\KBD.EXE
    StorageGuard    "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    Recguard    C:\WINDOWS\SMINST\RECGUARD.EXE
    NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz    nwiz.exe /installquiet /keeploaded /nodetect
    AlcxMonitor ALCXMNTR.EXE
    PS2 C:\WINDOWS\system32\ps2.exe
    QuickFinder Scheduler   "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    hplampc C:\WINDOWS\system32\hplampc.exe
    mmtask  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    Symantec NetDriver Monitor  C:\PROGRA~1\SYMNET~1\SNDMon.exe
    ISUSPM Startup  C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ccApp   "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    SSC_UserPrompt  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    ccRegVfy    "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    qbet    C:\WINDOWS\qbet.exe
    WildTangent CDA RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    WT GameChannel  C:\Program Files\WildTangent\Apps\GameChannel.exe
    pxkcols C:\WINDOWS\System32\nvtoxi.exe r

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    NVIEW   rundll32.exe nview.dll,nViewLoadHook
    MSMSGS  "C:\Program Files\Messenger\msmsgs.exe" /background
    Io02RRM3V   atrivs.exe
    kbdsp   C:\WINDOWS\System32\kbdsp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1
    undockwithoutlogon  1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    bgtxdii.exe C:\WINDOWS\system\bgtxdii.exe
    eiicupd.exe C:\WINDOWS\system\eiicupd.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINDOWS\system32\userinit.exe,
    Shell       = Explorer.exe C:\WINDOWS\Nail.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
     = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
     = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
     = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
     = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
     = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
     = wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/25/2005 10:23:59 PM

here's the Track qoo:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"AlcxMonitor"="ALCXMNTR.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"QuickFinder Scheduler"="\"c:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"hplampc"="C:\\WINDOWS\\system32\\hplampc.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"ccRegVfy"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"qbet"="C:\\WINDOWS\\qbet.exe"
"WildTangent CDA"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"
"KavSvc"="C:\\WINDOWS\\System32\\halpum.exe reg_run"
"pxkcols"="C:\\WINDOWS\\System32\\nvtoxi.exe r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D}
syncui.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- mysxkqsf
{2c55ffab-b398-4bb8-b712-796434db7c9d}


Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- OPShellE
{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}
C:\Program Files\Softex\OmniPass\opshelle.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
KODAK Picture Transfer Software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Quicken Scheduled Updates.lnk
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
KODAK Picture Transfer Software.lnk
KODAK Software Updater.lnk
Microsoft Office.lnk
Quicken Scheduled Updates.lnk
Compaq Organize.lnk
desktop.ini
spamsubtract.lnk
==============================
C:\WINDOWS\system32 cpl files


access.cpl                    Microsoft Corporation
ALSNDMGR.CPL                  Realtek Semiconductor Corp.
appwiz.cpl                    Microsoft Corporation
bdeadmin.cpl                  Borland Software Corporation
desk.cpl                      Microsoft Corporation
hdwwiz.cpl                    Microsoft Corporation
hpsctrlc.cpl                  Hewlett-Packard
igfxcpl.cpl                   Intel Corporation
inetcpl.cpl                   Microsoft Corporation
intl.cpl                      Microsoft Corporation
ISUSPM.cpl                    InstallShield Software Corporation
joy.cpl                       Microsoft Corporation
jpicpl32.cpl                  Sun Microsystems
main.cpl                      Microsoft Corporation
mmsys.cpl                     Microsoft Corporation
ncpa.cpl                      Microsoft Corporation
nusrmgr.cpl                   Microsoft Corporation
nvtuicpl.cpl                  NVIDIA Corporation
odbccp32.cpl                  Microsoft Corporation
powercfg.cpl                  Microsoft Corporation
QuickTime.cpl                 Apple Computer, Inc.
redit.cpl                     
scurecpl.cpl                  Softex, Inc
sysdm.cpl                     Microsoft Corporation
telephon.cpl                  Microsoft Corporation
timedate.cpl                  Microsoft Corporation
wxfw.cpl                      The Weather Channel Interactive

Edited by mike_2000_17: Fixed formatting

0

Sorry to muck you around, but it looks like you have nail/aurora back on your PC. I will post the entire canned speech, so ignore what you already have :).

==

You may want to print or save these instructions locally before starting.

Please download, install, and update the free version of Ewido trojan scanner:

  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes (the status bar at the bottom will display "Update successful")
  5. Exit Ewido. DO NOT scan yet.

Download CCleaner and install, but do not run it yet.

Please download the Nailfix utility.
DO NOT run it yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft:

  1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
  2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
  3. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.

  1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  2. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  3. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then run HijackThis, click Scan, and place a checkmark by the following item:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Now, run CCleaner.

  1. Uncheck "Cookies" under "Internet Explorer".
  2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

==

Please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.

C:\log.txt
C:\win.txt
C:\start.txt

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.