0

Any help would be greatfully appreciated. Trying running all sorts of spyware which always gets interrupted by WinFixer.
Thanks in advance.
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:04:40 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Yjyhi\Awqkxof.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\System32\HPBPRO.EXE
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
F:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\Documents and Settings\user2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Xwhwbwd] C:\Program Files\Yjyhi\Awqkxof.exe
O4 - HKLM\..\RunOnce: [removeQL] cmd /c IF NOT EXIST "C:\WINDOWS\system32\qlink32.dll" (IF EXIST "C:\WINDOWS\system32\PreUninstallQL.exe" del /s /q "C:\WINDOWS\system32\PreUninstallQL.exe")
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=zuzeb004YYUS_undefined
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://66.29.7.159/toolbar/cabs/free_access.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cpi.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

2
Contributors
7
Replies
8
Views
12 Years
Discussion Span
Last Post by swatkat
0

Hi,
Download CleanUp and install it.


If you have not updated Ewido, then update it. Run Ewido, click the "Update" button on left side of main window and click "Start Update" button.


Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.


Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.


Uninstall this Software from Add/Remove Programs in Control Panel:-
MyWebSearch
Internet Optimizer


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Xwhwbwd] C:\Program Files\Yjyhi\Awqkxof.exe
O4 - HKLM\..\RunOnce: [removeQL] cmd /c IF NOT EXIST "C:\WINDOWS\system32\qlink32.dll" (IF EXIST "C:\WINDOWS\system32\PreUninstallQL.exe" del /s /q "C:\WINDOWS\system32\PreUninstallQL.exe")
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=zuzeb004YYUS_undefined
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://66.29.7.159/toolbar/cabs/free_access.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cpi.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Exit from HijackThis. Delete these folders:-
C:\PROGRAM FILES\MYWEBSEARCH
C:\Program Files\Internet Optimizer
C:\Program Files\Yjyhi


Delete this file:-
C:\WINDOWS\wsem303.dll


Run CleanUp! and click "Options.." button. Here move the "Quick Setup" slider to "Thorough Cleanup" position. Uncheck the option "Delete Favorites Palces/Bookmarks", if you have any bookmarks. Click "OK" to return to main window, and click "CleanUp!" to start cleaning. After it completes, click "Close" and click "No" to avoid logging off.


Run Ewido, click on the "Scanner" button in the left menu, then click on the "Complete System Scan" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


Reboot to Normal Mode. Perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Panda ActiveScan log.

0

Thank you very much! Hope this works. Do you see anything remaining?

Here are the logs:

Panda:

Incident Status Location

Adware:adware/favoriteman No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Adware:adware/aurora No disinfected C:\WINDOWS\abiuninst.htm
Adware:adware/ist.sidefind No disinfected C:\PROGRAM FILES\SideFind
Adware:adware/ist.yoursitebar No disinfected C:\PROGRAM FILES\YourSiteBar
Spyware:spyware/dyfuca No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-143b45c8-64be6cfb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-758bf4cc-2c0cfc18.zip[Dummy.class]
Spyware:Spyware/LinkReplacer No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP63\A0004072.exe
Adware:Adware/IST.SideFind No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP63\A0004172.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 9:53:11 AM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell Support\DSAgnt.exe
F:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

0

Hi,
HijackThis log looks clean.
There are some files to be deleted. Delete these files:-
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
C:\WINDOWS\abiuninst.htm

Delete these folders:-
C:\PROGRAM FILES\SideFind
C:\PROGRAM FILES\YourSiteBar


Do you receive any popups related to WinFixer or any other spyware/virus?

0

Hi,

Thanks, I deleted those files and folders. I stopped getting (I hope) the WinFixer pop-ups but still get others asking me to run scans. I always close out of those without even looking at the name on it but will look out for it next time around.

I also get other pop-ups from a variety of sites. Many of them were from cheapflights.com. Any ideas?

Thanks again for your help!

Here's another look at my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:49:56 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell Support\DSAgnt.exe
F:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user2\Desktop\HijackThis.exe
C:\WINDOWS\System32\HPBPRO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

0

Hi,
Even though log looks clean, there can be some other "hidden" baddies. Do you get any pop-ups related to Registry Errors/Repairs?

Perform a scan at Kaspersky Webscanner (click on the button "Kaspersky Online scanner") and save the log file.


Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with the Kaspersky log.

0

Thanks swatkat - I have no clue how you people understand the stuff these scanners spit out. I appreciate you putting your time into help out. I still get some annoying pop-ups but I don't notice them being anything specific now. It's definitely better than it was a week ago.

Below are the log for the two scans you recommended me running.

Thanks again for the help!

Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 16, 2005 17:05:29
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/11/2005
Kaspersky Anti-Virus database records: 150302
-------------------------------------------------------------------------------


Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true


Scan Target - My Computer:
C:\
D:\
F:\


Scan Statistics:
Total number of scanned objects: 94427
Number of viruses found: 17
Number of infected objects: 87
Number of suspicious objects: 24
Duration of the scan process: 9093 sec


Infected Object Name - Virus Name
C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-65ce38b6-7974e225.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-65ce38b6-7974e225.zip/VB.class   Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-65ce38b6-7974e225.zip/Beyond.class   Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-65ce38b6-7974e225.zip    Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0DB6001F  Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C95634D  Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C980D4A  Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\24E403CD.htm  Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2F85491D  Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\430F02F5  Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4C4D4236  Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55F42190  Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6DFD03BE  Infected: Trojan-Dropper.Win32.Small.ly
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\754D271C  Infected: Trojan.Win32.Small.cy
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\770209CA  Infected: Trojan.Win32.Crypt.t
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\77095DC3  Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7D5F1B7F  Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP61\A0004004.exe   Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\SYSTEM32\ansvideo.dll    Infected: Trojan.Win32.Crypt.t
F:\Archive\back\backup.pst/Personal Folders/Inbox/17 Oct 2002 13:07 from soholit:Hi,gdavid,darling.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Archive\back\backup.pst/Personal Folders/Sent Items/17 Oct 2002 13:31 to soholit:RE: Hi,gdavid,darling.html  Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Archive\back\backup.pst  Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft/Energy Spectrum/Estimate Draft    Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft   Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate/Energy Spectrum/Final Estimate  Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/10 Jan 2002 00:26 from Paula Dombrow:Final Estimate/Energy Spect/Energy SpectrumFinal Estimate.doc  Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst    Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft/Energy Spectrum/Estimate Draft    Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft   Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate/Energy Spectrum/Final Estimate  Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/10 Jan 2002 00:26 from Paula Dombrow:Final Estimate/Energy Spect/Energy SpectrumFinal Estimate.doc  Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst    Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip  Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Gary\OutlookBackup07012005.pst/Personal Folders/Inbox/17 Oct 2002 13:07 from soholit:Hi,gdavid,darling.html  Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Energy Spectrum\Gary\OutlookBackup07012005.pst/Personal Folders/Sent Items/17 Oct 2002 13:31 to soholit:RE: Hi,gdavid,darling.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Energy Spectrum\Gary\OutlookBackup07012005.pst   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft/Energy Spectrum/Estimate Draft Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft    Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate/Energy Spectrum/Final Estimate   Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate  Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/10 Jan 2002 00:26 from Paula Dombrow:Final Estimate/Energy Spect/Energy SpectrumFinal Estimate.doc   Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/20 May 2002 05:37 from Russak:Let's be friends.html  Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/31 Oct 2002 15:16 from [email]ReuvenElson@aol.com:zooz/invitemm102401.doc/invitemm102401.doc[/email] Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/31 Oct 2002 15:16 from [email]ReuvenElson@aol.com:zooz/invitemm102401.doc[/email]    Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/13 Nov 2002 19:19 from ReuvenElson@aol.com:Re: No Subject/blurbforinvitation111302.doc/blurbforinvitation111302.doc  Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/13 Nov 2002 19:19 from ReuvenElson@aol.com:Re: No Subject/blurbforinvitation111302.doc   Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/29 Nov 2002 22:13 from SarinaM:BLANK AD .html    Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/03 Dec 2002 00:21 from silverfe:Popup0.newyork.bars.search recur.html    Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\Outlook\outlook.pst Infected: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\ethel\outlook backup.pst/Personal Folders/Deleted Items/17 Jun 2005 16:59 from David Ahrens:FW: Your password has been s/updated-password.zip/updated-password.htm                                                                      .pif    Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\ethel\outlook backup.pst/Personal Folders/Deleted Items/17 Jun 2005 16:59 from David Ahrens:FW: Your password has been s/updated-password.zip   Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\ethel\outlook backup.pst    Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\gary\outlook backup.pst/Personal Folders/Inbox/17 Oct 2002 13:07 from soholit:Hi,gdavid,darling.html    Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\gary\outlook backup.pst/Personal Folders/Sent Items/17 Oct 2002 13:31 to soholit:RE: Hi,gdavid,darling.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\gary\outlook backup.pst Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user2\mailbox backup.pst/Personal Folders/Deleted Items/01 Sep 2005 00:12 from eBay Inc:0fficiaI Information For CIient .html   Infected: Trojan-Spy.HTML.Bayfraud.hn
F:\shia\outlook backups\user2\mailbox backup.pst/Personal Folders/Norton AntiSpam Folder/14 Sep 2005 12:57 from eBay:Important Banking Mail From eBay.html  Infected: Trojan-Spy.HTML.Bayfraud.hn
F:\shia\outlook backups\user2\mailbox backup.pst    Infected: Trojan-Spy.HTML.Bayfraud.hn
F:\shia\outlook backups\user3\archive backup.pst/Archive Folders/Sent Items/12 Mar 2004 13:21 to Earl Baim:FW: Your text Do you know this pe/your_text.pif  Infected: Email-Worm.Win32.NetSky.d
F:\shia\outlook backups\user3\archive backup.pst    Infected: Email-Worm.Win32.NetSky.d
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/07 Oct 2004 15:35 from Smith Barney:SERVICE MESSAGE FROM SMITH B.html   Infected: Trojan-Spy.HTML.Citifraud.an
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/01 Mar 2005 09:50 from Dahrens/new__price.zip/Doc_01.02.exe Infected: Email-Worm.Win32.Bagle.pac
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/01 Mar 2005 09:50 from Dahrens/new__price.zip   Infected: Email-Worm.Win32.Bagle.pac
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/14 Jun 2005 19:54 from info@energyspec.com:Members Support/account-report.zip/account-report.txt                                                                      .pif  Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/14 Jun 2005 19:54 from info@energyspec.com:Members Support/account-report.zip   Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Sent Items/12 Mar 2004 13:21 to Earl Baim:FW: Your text Do you know this pe/your_text.pif Infected: Email-Worm.Win32.NetSky.d
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Sent Items/17 Jun 2005 16:59 to jma@jasonasher.com:FW: Your password has be/updated-password.zip/updated-password.htm                                                                      .pif   Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Sent Items/17 Jun 2005 16:59 to jma@jasonasher.com:FW: Your password has be/updated-password.zip  Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user3\outlook backup.pst    Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/08 Aug 2005 13:25 from .1392@tk2msftngp13.phx.gbl.com:Mail Deliv.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/08 Aug 2005 13:25 from .1392@tk2msftngp13.phx.gbl.com:Mail Deliv/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/09 Aug 2005 13:44 from /alex@pro.ro:Re: Sex pictures/www.myx4free.zip/data.rtf                                                                           .scr   Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/09 Aug 2005 13:44 from /alex@pro.ro:Re: Sex pictures/www.myx4free.zip   Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/12 Aug 2005 12:59 from db0fefd9@news.zen.co.uk:Mail Delivery (fa.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/12 Aug 2005 12:59 from db0fefd9@news.zen.co.uk:Mail Delivery (fa/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/30 Jul 2005 21:32 from fatjohn@pchome.com.tw:Re: Mail Server/data_ssofer.zip/document.txt                                                                   .exe    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/30 Jul 2005 21:32 from fatjohn@pchome.com.tw:Re: Mail Server/data_ssofer.zip    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/01 Aug 2005 13:26 from [email]hr@adoreinfotech.com:hi/letter.zip/document.txt[/email]                                                                   .exe    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/01 Aug 2005 13:26 from [email]hr@adoreinfotech.com:hi/letter.zip[/email]    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/02 Aug 2005 13:31 from [email]hun9bal@yahoo.dk:o0ßi4grjj40j09gjijgpüdé/id09509.zip/data.rtf[/email]                                                                           .scr  Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/02 Aug 2005 13:31 from [email]hun9bal@yahoo.dk:o0ßi4grjj40j09gjijgpüdé/id09509.zip[/email]  Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/11 Aug 2005 13:33 from info@helpink.co.nz.com:Re: Hi/my_details.txt.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/08 Aug 2005 13:25 from jontraudt@healthandenergy.com:Re: Secure /readme.pif Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/13 Aug 2005 13:58 from larry@galaxy3000.com:Stolen document/your_document_ssofer.zip/data.rtf                                                                           .scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/13 Aug 2005 13:58 from larry@galaxy3000.com:Stolen document/your_document_ssofer.zip    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/05 Aug 2005 13:01 from Mail Administrator:Mail System Error - Re/05 Aug 2005 13:00 from ssofer@energyspec.com:Mail Delivery (fail.html  Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/05 Aug 2005 13:01 from Mail Administrator:Mail System Error - Re/05 Aug 2005 13:00 from ssofer@energyspec.com:Mail Delivery (fail/message.scr   Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/06 Aug 2005 16:23 from nazkel@hotmail.com:Re: Notify/readme.pif Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/10 Aug 2005 13:32 from nmoinian@laffey.net:Re: Is that your docu/document.doc                                                       Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/11 Aug 2005 13:33 from oliver.gu@qast.com:Mail Delivery (failure.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/11 Aug 2005 13:33 from oliver.gu@qast.com:Mail Delivery (failure/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/10 Aug 2005 13:33 from paulluikk@yahoo.com.hk:Mail Delivery (fai.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/10 Aug 2005 13:33 from paulluikk@yahoo.com.hk:Mail Delivery (fai/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/02 Aug 2005 13:16 from ppwyw@microvoip.com:Mail Delivery (failur.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/02 Aug 2005 13:16 from ppwyw@microvoip.com:Mail Delivery (failur/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/13 Aug 2005 13:49 from support@pocketgear.com:Mail Delivery (fai.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/13 Aug 2005 13:49 from support@pocketgear.com:Mail Delivery (fai/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/30 Jul 2005 21:47 from tjcraig@bellsouth.net:Mail Delivery (fail.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/30 Jul 2005 21:47 from tjcraig@bellsouth.net:Mail Delivery (fail/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/09 Aug 2005 13:59 from [email]ubidalerts.6clyhjh3y.f3@deals.ubid.com:Ma.html[/email]    Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/09 Aug 2005 13:59 from [email]ubidalerts.6clyhjh3y.f3@deals.ubid.com:Ma/message.scr[/email] Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/06 Aug 2005 16:06 from voipbiz@globalkt.com:Mail Delivery (failu.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/06 Aug 2005 16:06 from voipbiz@globalkt.com:Mail Delivery (failu/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/05 Aug 2005 13:04 from www.willdatz@aol.com:Mail Delivery (failu.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/05 Aug 2005 13:04 from www.willdatz@aol.com:Mail Delivery (failu/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Inbox/01 Aug 2005 13:38 from steve.dear@na.teleatlas.com:Mail Delivery.html   Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Inbox/01 Aug 2005 13:38 from steve.dear@na.teleatlas.com:Mail Delivery/message.scr    Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Inbox/01 Sep 2005 21:52 from eBay:IDENTITY THEFT SOLUTIONS FROM EBAY [.html   Infected: Trojan-Spy.HTML.Bayfraud.hn
F:\shia\outlook backups\user4\outlook backup.pst    Infected: Trojan-Spy.HTML.Bayfraud.hn


Scan process completed.



WinPFind.ZIP:
Checking %SystemDrive% folder...


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...


Checking %System% folder...
PEC2                 8/23/2001 7:00:00 AM        41397      C:\WINDOWS\SYSTEM32\dfrg.msc
PTech                7/12/2005 5:04:22 PM        520456     C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2           11/2/2005 12:34:18 AM       2368864    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               11/2/2005 12:34:18 AM       2368864    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               8/4/2004 2:56:36 AM         708096     C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor             8/4/2004 2:56:44 AM         657920     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              8/23/2001 7:00:00 AM        1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu


Checking %System%\Drivers folder and sub-folders...
PTech                8/4/2004 12:41:38 AM        1309184    C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys


Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts



Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/11/2005 8:57:14 AM     S 2048       C:\WINDOWS\BOOTSTAT.DAT
11/17/2005 4:25:46 PM    H  24         C:\WINDOWS\pyguK
11/11/2005 8:57:16 AM     S 64         C:\WINDOWS\CSC\00000001
11/11/2005 9:00:56 AM    H  0          C:\WINDOWS\LastGood\INF\oem31.inf
11/11/2005 9:00:56 AM    H  0          C:\WINDOWS\LastGood\INF\oem31.PNF
10/5/2005 8:33:38 PM      S 12849      C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 8:17:40 PM      S 21737      C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 10:53:30 AM     S 17402      C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/17/2005 4:05:44 PM    H  1024       C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
11/15/2005 12:55:08 PM   H  1024       C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
11/11/2005 8:58:10 AM    H  1024       C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
11/17/2005 4:25:50 PM    H  1024       C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
11/17/2005 4:21:46 PM    H  1024       C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
11/10/2005 3:01:06 AM    H  1024       C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
11/2/2005 2:45:20 PM     HS 388        C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\d611d117-132f-49cf-81f3-0e60b4f56968
11/2/2005 2:45:20 PM     HS 24         C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
11/11/2005 8:57:16 AM    H  6          C:\WINDOWS\Tasks\SA.DAT


Checking for CPL files...
Microsoft Corporation          8/4/2004 2:56:58 AM         68608      C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         549888     C:\WINDOWS\SYSTEM32\appwiz.cpl
Borland Software Corporation   10/7/2003 1:39:00 PM        184320     C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         110592     C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         135168     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         80384      C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation              4/7/2003 12:14:30 AM        94208      C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         129536     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         380416     C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         68608      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               11/19/2003 5:48:12 PM       61555      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/23/2001 7:00:00 AM        187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         618496     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/23/2001 7:00:00 AM        35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         25600      C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation          8/23/2001 7:00:00 AM        36864      C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         114688     C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel(R) Corporation           3/11/2003 4:15:56 PM        77824      C:\WINDOWS\SYSTEM32\PRApplet.cpl
RealNetworks, Inc.             7/15/2004 3:14:38 AM        24576      C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         298496     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/23/2001 7:00:00 AM        28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         94208      C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         148480     C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 3:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/23/2001 7:00:00 AM        187904     C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
Microsoft Corporation          8/23/2001 7:00:00 AM        35840      C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
Microsoft Corporation          8/23/2001 7:00:00 AM        36864      C:\WINDOWS\SYSTEM32\DLLCACHE\nwc.cpl
Microsoft Corporation          8/23/2001 7:00:00 AM        28160      C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl
Microsoft Corporation          5/26/2005 3:16:30 AM        174360     C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl


»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»


Checking files in %ALLUSERSPROFILE%\Startup folder...
9/7/2005 9:05:58 AM         1824       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
3/31/2005 5:27:50 PM        890        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/10/2005 11:22:46 AM       1757       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
7/29/2004 10:04:32 AM    HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
7/28/2005 6:51:16 PM        1725       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk


Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/29/2004 9:57:46 AM     HS 62         C:\Documents and Settings\All Users\Application Data\DESKTOP.INI


Checking files in %USERPROFILE%\Startup folder...
9/3/2002 9:00:00 AM      HS 84         C:\Documents and Settings\user2\Start Menu\Programs\Startup\DESKTOP.INI


Checking files in %USERPROFILE%\Application Data folder...
8/10/2005 11:21:26 AM       1747       C:\Documents and Settings\user2\Application Data\AdobeDLM.log
1/28/2005 12:02:00 PM       36290      C:\Documents and Settings\user2\Application Data\Comma Separated Values (Windows).ADR
9/3/2002 8:50:46 AM      HS 62         C:\Documents and Settings\user2\Application Data\DESKTOP.INI
8/10/2005 11:18:28 AM       0          C:\Documents and Settings\user2\Application Data\dm.ini


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1  =


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}   = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
=


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}Real.com = C:\WINDOWS\System32\Shdocvw.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7}   = Web assistant    : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}   = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93}   = Adobe PDF    : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922}   = AOL Toolbar  : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText     = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText   = AOL Toolbar  :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText   = AIM  : F:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText   = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText   = Messenger    : C:\Program Files\Messenger\msmsgs.exe


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus   : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Web assistant  : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF  : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar    : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray    C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
ccApp   "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
URLLSTCK.exe    C:\Program Files\Norton Internet Security\UrlLstCk.exe
Symantec NetDriver Monitor  C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
StatusClient 2.6    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
TomcatStartup 2.5   C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
MMTray  C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
HostManager C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL   Installed = 1
MAPI    Installed = 1
MSFS    Installed = 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS  "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
AIM F:\Program Files\AIM\aim.exe -cnetwait.odl


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup  C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location    Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item    Adobe Gamma Loader
path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup  C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location    Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item    Adobe Gamma Loader


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk
path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup  C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location    Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item    America Online 9.0 Tray Icon
path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup  C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location    Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item    America Online 9.0 Tray Icon


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup  C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location    Common Startup
command C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l
item    Microsoft Office
path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup  C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location    Common Startup
command C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l
item    Microsoft Office


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cbax
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    cbax
hkey    HKLM
command c:\windows\cbax.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    cbax
hkey    HKLM
command c:\windows\cbax.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    mmtask
hkey    HKLM
command c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    mmtask
hkey    HKLM
command c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    mm_tray
hkey    HKLM
command C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    mm_tray
hkey    HKLM
command C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msbb
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    msbb
hkey    HKLM
command c:\windows\system32\msbb.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    msbb
hkey    HKLM
command c:\windows\system32\msbb.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCMService
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    PCMService
hkey    HKLM
command "C:\Program Files\Dell\Media Experience\PCMService.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    PCMService
hkey    HKLM
command "C:\Program Files\Dell\Media Experience\PCMService.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    qttask
hkey    HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    qttask
hkey    HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    RealPlay
hkey    HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    RealPlay
hkey    HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SSC_UserPrompt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    UsrPrmpt
hkey    HKLM
command C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    UsrPrmpt
hkey    HKLM
command C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    jusched
hkey    HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    jusched
hkey    HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    SNDMon
hkey    HKCU
command C:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    SNDMon
hkey    HKCU
command C:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TV Media
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    Tvm
hkey    HKLM
command C:\Program Files\TV Media\Tvm.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    Tvm
hkey    HKLM
command C:\Program Files\TV Media\Tvm.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updmgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    updmgr
hkey    HKLM
command C:\Program Files\Common files\updmgr\updmgr.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    updmgr
hkey    HKLM
command C:\Program Files\Common files\updmgr\updmgr.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ViewMgr
hkey    HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    ViewMgr
hkey    HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Weather
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    Weather
hkey    HKCU
command C:\Program Files\AWS\WeatherBug\Weather.EXE 1
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    Weather
hkey    HKCU
command C:\Program Files\AWS\WeatherBug\Weather.EXE 1
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebRebates0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    WebRebates0
hkey    HKLM
command "C:\Program Files\Web_Rebates\WebRebates0.exe"
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    WebRebates0
hkey    HKLM
command "C:\Program Files\Web_Rebates\WebRebates0.exe"
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WildTangent CDA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    cdaEngine0400
hkey    HKLM
command RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
inimapping  0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item    cdaEngine0400
hkey    HKLM
command RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
inimapping  0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini  0
win.ini 0
bootini 0
services    0
startup 2



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon    1
undockwithoutlogon  1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun  145



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit    = C:\WINDOWS\system32\userinit.exe,
Shell       = explorer.exe
System      =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

Edited by happygeek: fixed formatting

0

Hi,
There are some more things to remove now.


Boot the PC in Safe Mode.


Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options.
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.


Uninstall this Software from Add/Remove Programs in Control Panel:-
WebRebates
Wild Tangent
TV Media
eUniverse
180 Search Assistant


Delete these folders:-
C:\Program Files\Web_Rebates
C:\Program Files\WildTangent
C:\Program Files\Common files\updmgr
C:\Program Files\TV Media


Delete these files:-
C:\WINDOWS\pyguK
c:\windows\cbax.exe
c:\windows\system32\msbb.exe


Reboot the PC to normal mode.


Perform an online spyware scan at TrendMicro and save its log.


After running above scan, perform a virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log it gives after the scan.


Post back the TrendMicro spyware scan log and Panda Activescan log along with a new HijackThis log.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.