« previous next »
Pages: [1]

Author Topic: Slow and filled with Spyware  (Read 1822 times)

Offline tzielinski

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Slow and filled with Spyware
« on: April 22, 2005, 07:19:59 PM »
hey guys. recently my computer has been running slower than usual, and I have had to start it in safe mode in order to get anything working propely, ebcause otherwise it works so slow. I ran hijiack in safe mode, so i don't know if thats going to be a problem.

Logfile of HijackThis v1.99.1
Scan saved at 8:15:57 PM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{10FFEA75-5728-4D8E-8BB4-2C66BABC7191}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{10FFEA75-5728-4D8E-8BB4-2C66BABC7191}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab
O16 - DPF: {BF22698D-3BED-4CB0-BA3A-64534FBC32B1} (SVWebPlayer Control) - http://www.seevideo.co.kr/pub/seevideo2002/SVWebPlayer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Logged

techny

  • Guest
Slow and filled with Spyware
« Reply #1 on: April 22, 2005, 08:23:40 PM »
Didi you push a windows update down 0519.  It has been interacting with virus protections software to push the CPU rate up to 100%

Try turning off your virus service and windows update service
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Slow and filled with Spyware
« Reply #2 on: April 23, 2005, 05:55:14 PM »
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Find and delete these files or folders and delete them if found, don't delete something because it looks similiar
C:\WINDOWS\System32\spoolsrv32.exe <-this file
C:\WINDOWS\System32\srvc32.exe <-file
C:\WINDOWS\System32\Services <-this folder

Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{10FFEA75-5728-4D8E-8BB4-2C66BABC7191}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{10FFEA75-5728-4D8E-8BB4-2C66BABC7191}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart the computer
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Restart the computer back into Normal mode and post back a fresh Hijackthis log
« Last Edit: April 23, 2005, 05:56:13 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline tzielinski

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Slow and filled with Spyware
« Reply #3 on: April 23, 2005, 09:58:29 PM »
Ok, the only problems I encountered is that i couldn't find the file C:\WINDOWS\System32\srvc32.exe, it looked like C:\WINDOWS\System32\srvc32.dll. So i didn't delete it.  Thank a lot for the help.

Logfile of HijackThis v1.99.1
Scan saved at 10:55:31 PM, on 4/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ltmsg.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iO\web\bin\server.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Tobiasz\LOCALS~1\Temp\Rar$EX00.641\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: iOWebServer.lnk = C:\Program Files\iO\web\bin\server.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab
O16 - DPF: {BF22698D-3BED-4CB0-BA3A-64534FBC32B1} (SVWebPlayer Control) - http://www.seevideo.co.kr/pub/seevideo2002/SVWebPlayer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Slow and filled with Spyware
« Reply #4 on: April 24, 2005, 12:39:38 AM »
Hmm, can you do the following for me please

Follow the instructions closely
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>

Follow this link on how to update it>> follow the instructions carefully
http://tds.diamondcs.com.au/index.php?page=update
Use the Manual update procedure
Again, don't run a scan yet

After TDS3 is updated

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Give this time to finish
Detections will appear in the lower pane of tds window after the scan is finished  Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

After you have removed the ones with postitive Identification

Restart back to Normal mode

After you have done the above
Post back the scandump.txt file and a new Hijackthis log
Can you please redownload Hijackthis and save it too a permanent folder
You can redownload from my signature below
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline tzielinski

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Slow and filled with Spyware
« Reply #5 on: April 24, 2005, 07:25:11 PM »
ok...I did all of the following.
Here is the Hijack log.


Logfile of HijackThis v1.99.1
Scan saved at 8:19:16 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ltmsg.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iO\web\bin\server.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tobiasz\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: iOWebServer.lnk = C:\Program Files\iO\web\bin\server.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab
O16 - DPF: {BF22698D-3BED-4CB0-BA3A-64534FBC32B1} (SVWebPlayer Control) - http://www.seevideo.co.kr/pub/seevideo2002/SVWebPlayer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
« Last Edit: April 24, 2005, 07:26:43 PM by tzielinski »
Logged

Offline tzielinski

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Slow and filled with Spyware
« Reply #6 on: April 24, 2005, 07:27:50 PM »
Sorry, but the other post cut off the scandump.txt

Scan Control Dumped @ 20:14:23 24-04-05
(DELETED) Positive identification: TrojanDownloader.Win32.CWS.k
  File: c:\6ecb2699.exe

Suspicious Filename: HTA file in suspicious location
  File: c:\d25c119d.hta

Suspicious Filename: Dual extensions
  File: c:\cygwin\bin\dumpgdbm-1.5.2.exe

Suspicious Filename: Dual extensions
  File: c:\cygwin\bin\gawk-3.1.4.exe

Suspicious Filename: Dual extensions
  File: c:\cygwin\bin\loadgdbm-1.5.2.exe

Suspicious Filename: Dual extensions
  File: c:\cygwin\bin\perl5.8.6.exe

Suspicious Filename: Dual extensions
  File: c:\cygwin\bin\pgawk-3.1.4.exe

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~321395.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~333702.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~412637.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~58147.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~714730.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~790027.tmp

(DELETED) Positive identification: TrojanDownloader.Win32.WinTool
  File: c:\documents and settings\mariola\local settings\temp\~795270.tmp

(DELETED) Positive identification: TrojanDownloader.Win32.WinTool
  File: c:\documents and settings\mariola\local settings\temp\~796211.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~826084.tmp

(DELETED) Positive identification: TrojanDownloader.Win32.WinTool
  File: c:\documents and settings\mariola\local settings\temp\~830398.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~854651.tmp

(DELETED) Positive identification: TrojanDownloader.Win32.WinTool
  File: c:\documents and settings\mariola\local settings\temp\~911469.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~950458.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~950561.tmp

(DELETED) Positive identification: Adware.Wintol.g
  File: c:\documents and settings\mariola\local settings\temp\~964628.tmp

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\documents and settings\mariola\local settings\temporary internet files\content.ie5\k5mbcdmz\$file[1]

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\documents and settings\mariola\local settings\temporary internet files\content.ie5\xjj5vtzc\$file[1]

(DELETED) Positive identification: TrojanDownloader.Win32.VB.df
  File: c:\documents and settings\tobiasz\application data\phoenix\profiles\default\7aif9o9v.slt\cache\484dddcad01

(DELETED) Positive identification: Joke.Win32.Life
  File: c:\documents and settings\tobiasz\desktop\life.exe

Suspicious Filename: Dual extensions
  File: c:\documents and settings\tobiasz\desktop\mingw-3.1.0-1.exe

Suspicious Filename: Dual extensions
  File: c:\documents and settings\tobiasz\desktop\the transcendentalists.doc.doc

Suspicious Filename: Dual extensions
  File: c:\documents and settings\tobiasz\desktop\comp sci\python-2.3.4c1.exe

Suspicious Filename: Excessive space characters
  File: c:\documents and settings\tobiasz\favorites\????                                                                                            .url

Suspicious Filename: Dual extensions
  File: c:\documents and settings\tobiasz\local settings\temp\key-generator 5.5.8.0.exe

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Agent.kf1 (dll)
  File: c:\documents and settings\tobiasz\local settings\temp\wldr.dll

(DELETED) Positive identification: TrojanDownloader.Win32.WinTool
  File: c:\documents and settings\tobiasz\local settings\temp\~1184.tmp

(DELETED) Positive identification: Adware.Wintol.p
  File: c:\documents and settings\tobiasz\local settings\temp\~16807.tmp

(DELETED) Positive identification: Adware.Wintol.p
  File: c:\documents and settings\tobiasz\local settings\temp\~298658.tmp

(DELETED) Positive identification: TrojanDownloader.Win32.WinTool
  File: c:\documents and settings\tobiasz\local settings\temp\~3302.tmp

(DELETED) Positive identification: Adware.Wintol.p
  File: c:\documents and settings\tobiasz\local settings\temp\~36350.tmp

(DELETED) Positive identification: Adware.Wintol.c
  File: c:\documents and settings\tobiasz\local settings\temp\~397943.tmp

(DELETED) Positive identification: TrojanDownloader.Win32.WinTool
  File: c:\documents and settings\tobiasz\local settings\temp\~589354.tmp

(DELETED) Positive identification: TrojanDownloader.Win32.WinTool
  File: c:\documents and settings\tobiasz\local settings\temp\~677700.tmp

(DELETED) Positive identification: Adware.Wintol.p
  File: c:\documents and settings\tobiasz\local settings\temp\~835041.tmp

(DELETED) Positive identification: Adware.Wintol.p
  File: c:\documents and settings\tobiasz\local settings\temp\~842966.tmp

(DELETED) Positive identification: Adware.Wintol.p
  File: c:\documents and settings\tobiasz\local settings\temp\~870121.tmp

(DELETED) Positive identification: Adware.Wintol.p
  File: c:\documents and settings\tobiasz\local settings\temp\~876315.tmp

(DELETED) Positive identification: Adware.Wintol.p
  File: c:\documents and settings\tobiasz\local settings\temp\~936581.tmp

(DELETED) Positive identification: Adware.Wintol.c
  File: c:\documents and settings\tobiasz\local settings\temp\~952156.tmp

Suspicious Filename: Dual extensions
  File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

Suspicious Filename: Dual extensions
  File: c:\program files\hewlett-packard\hp instant support di\temp\install.wse.exe

(DELETED) Positive identification: Riskware.Proxy.Hltv
  File: c:\sierra\counter-strike\hltv.exe

(DELETED) Positive identification: TrojanDropper.Win32.Small.ty1
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp807\a0094994.exe

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp809\a0095074.exe

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp809\a0096075.exe

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp809\a0096110.exe

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp810\a0096116.exe

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp810\a0096132.exe

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp810\a0096149.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097158.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097159.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097160.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097161.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097162.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097163.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097164.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097165.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097166.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097167.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097168.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097169.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097170.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097171.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097172.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097173.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097174.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097175.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097176.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097177.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097178.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097179.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097180.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097181.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097182.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097183.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097184.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097185.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097186.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097187.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097188.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097189.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097190.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097191.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097192.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097193.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097194.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097195.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097196.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097197.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097198.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097199.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097200.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097201.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097202.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097203.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097204.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097205.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097206.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097207.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097208.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097209.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097210.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097211.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097212.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097213.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097214.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097215.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097216.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097217.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097218.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097219.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097220.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097221.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097222.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097223.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097224.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097225.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097226.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097227.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097228.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097229.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097230.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097231.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097232.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097233.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097234.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097235.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097236.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097237.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097238.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097239.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097240.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097241.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097242.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097243.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097244.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097245.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097246.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097247.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097248.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097249.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097250.dll

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0097266.exe

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Small.aoa (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0098295.dll

(DELETED) Positive identification: TrojanDownloader.Win32.Small.aoa
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp811\a0098296.exe

(DELETED) Positive identification (DLL): Trojan.Win32.TopAntiSpyware.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098426.dll

(DELETED) Positive identification: Trojan.Win32.TopAntiSpyware.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098427.exe

(DELETED) Positive identification: TrojanDropper.Win32.Small.vn
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098428.exe

(DELETED) Suspicious Filename: HTA file in suspicious location
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098431.hta

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Agent.ga (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098432.dll

(DELETED) Positive identification: TrojanDownloader.Win32.Small.aoa
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098435.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098439.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098440.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp812\a0098441.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098485.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098486.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098487.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098488.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098489.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098490.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098491.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098492.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098493.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098494.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098495.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098496.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098497.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098498.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098499.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098500.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098501.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098502.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098503.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098504.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098505.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098506.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098507.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098508.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098509.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098510.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098511.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098512.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098513.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098514.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098515.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098516.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098517.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098518.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098519.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098520.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098521.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098522.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098523.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098524.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098525.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098526.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098527.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098528.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098529.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098530.dll

(DELETED) Positive identification: Trojan.Win32.WebSearch.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098531.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i1 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp813\a0098532.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp825\a0101123.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp825\a0101243.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp825\a0103244.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp825\a0103276.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp826\a0104325.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0105387.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0105405.dll

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106445.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106446.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106446.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106448.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106450.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106451.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106451.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106453.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106455.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106456.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106456.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106458.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106460.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106461.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106461.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106463.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106465.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106466.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106466.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106468.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106470.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106471.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106471.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106473.exe

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106475.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106475.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106477.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106479.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106480.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106480.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106482.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106484.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106485.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106485.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106487.exe

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106489.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106489.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106491.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106493.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106494.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106494.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106496.exe

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106498.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106498.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106500.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106503.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106504.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106504.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106506.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106508.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106509.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106509.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106511.exe

(DELETED) Positive identification (DLL): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106513.dll

(DELETED) Positive identification (embedded in file): Trojan.Win32.WebSearch.i2 (dll)
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106514.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i2
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106514.exe

(DELETED) Positive identification: Trojan.Win32.WebSearch.i3
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106516.exe

(DELETED) Positive identification: Trojan.Win32.TopAntiSpyware.i
  File: c:\system volume information\_restore{31414675-6cbe-4639-8f67-8c2e395d7683}\rp827\a0106518.exe

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Agent.kf1 (dll)
  File: c:\windows\wldr.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Small.aoa (dll)
  File: c:\windows\system32\srdrv32.dll

(DELETED) Positive identification (DLL): Trojan.Win32.TopAntiSpyware.i (dll)
  File: c:\windows\system32\srpcsrv32.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Small.aoa (dll)
  File: c:\windows\system32\srvc32.dll

(DELETED) Positive identification (DLL): Trojan.Win32.TopAntiSpyware.i (dll)
  File: c:\windows\system32\txfdb32.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Agent.kf1 (dll)
  File: c:\windows\system32\wldr.dll

(DELETED) Positive identification: TrojanDropper.Win32.Small.uy
  File: c:\windows\system32\x.exe

(DELETED) Positive identification (DLL): Adware.WildTangent.b (dll)
  File: c:\windows\wt\wtvh.dll
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Slow and filled with Spyware
« Reply #7 on: April 24, 2005, 10:00:40 PM »
Can you try this please

Go to this file
c:\d25c119d.hta
Right click on it and rename it to
c:\d25c119d.old

Afterwards

==Download and Install this small program
to help clean your temp folders,cookies, recylebin
Windows Cleanup
Install for now, don't run a scan yet

==Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't let it log you off, instead

Restart your computer and post back a fresh Hijackthis log
Could you also
Download SilentRunners from here:
If using the Firefox browser, right click on that link and SAVE LINK AS
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to the desktop and double-click to run it. If prompted by your Anti-Virus, allow this to run, we are just collecting information
When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile back here
You will be prompted when the complete scan is done, give it time
« Last Edit: April 24, 2005, 10:23:20 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline tzielinski

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Slow and filled with Spyware
« Reply #8 on: April 24, 2005, 11:41:20 PM »
Hmmm....I couldn't find the file c:\d25c119d.hta. Everything else went flawlessly.

Logfile of HijackThis v1.99.1
Scan saved at 12:38:16 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ltmsg.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iO\web\bin\server.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tobiasz\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: iOWebServer.lnk = C:\Program Files\iO\web\bin\server.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab
O16 - DPF: {BF22698D-3BED-4CB0-BA3A-64534FBC32B1} (SVWebPlayer Control) - http://www.seevideo.co.kr/pub/seevideo2002/SVWebPlayer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe








"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"Steam" = "C:\Program Files\Steam\Steam.exe -silent" ["Valve Corporation"]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" ["Creative Technology Ltd"]
"MoneyStartUp10.0" = ""C:\Program Files\Microsoft Money\System\Activation.exe"" [MS]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Dell|Alert" = "C:\Program Files\Dell\Support\Alert\bin\DAMon.exe" [empty string]
"IMJPMIG8.1" = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"POINTER" = "point32.exe" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Optimum Online" = "C:\Program Files\Optimum Online\Netsurf.exe -tray" ["Netsurfer, Inc."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"imjpmig" = "C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload" [MS]
"mmtask" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" ["TODO: <Company name>"]
"DeadAIM" = "rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs" [MS]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["
Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
                                       \StubPath   = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{516EC4D3-4AD9-11D5-AA6A-00E0189008B3}" = "The Core Media Player Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\CORECO~1\THECOR~1\System\CORESH~1.CLL" [null data]
"{C14F7681-33D8-11D3-A09B-00500402F30B}" = "iO"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iO\iomenu.dll" [empty string]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "Security"
"Source" = "C:\WINDOWS\Web\desktop.html"
"SubscribedURL" = "C:\WINDOWS\Web\desktop.html"


Startup items in "Tobiasz" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Tobiasz\Start Menu\Programs\Startup
"iOWebServer" -> shortcut to: "C:\Program Files\iO\web\bin\server.exe" ["Sambar Technologies"]
"Webshots" -> shortcut to: "C:\Program Files\Webshots\Launcher.exe  /t" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"America Online 8.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 8.0\aoltray.exe -check" [file not found]
"AOL Companion" -> shortcut to: "C:\Program Files\AOL Companion\companion.exe /s" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 3" -> launches: "C:\WINDOWS\System32\OOBE\OOBEBALN.EXE /sys /i /n:3" [MS]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
  -> {CLSID}\(Default) = "Norton AntiVirus"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
  -> {CLSID}\(Default) = "Real.com"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\
(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


HOSTS file
----------

C:\WINDOWS\SYSTEM32\Drivers\Etc\HOSTS

maps: 2 domain names to IP addresses,
      1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SAP Agent, NwSapAgent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipxsap.dll" [MS]}
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Slow and filled with Spyware
« Reply #9 on: April 24, 2005, 11:55:13 PM »
Can you do the following please

Use Windows Explorer and find and delete this file
C:\WINDOWS\Web\desktop.html <-file

Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Post back a fresh Hijackthis log afterwards and let me know how everythings running

That one file I asked you to rename, can you
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

And then take another look and make sure it's doesn't exist

EDIT>>Woops, I forgot to say "Hmmm"  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
« Last Edit: April 25, 2005, 12:06:00 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline tzielinski

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Slow and filled with Spyware
« Reply #10 on: April 25, 2005, 12:44:10 AM »
Hmmmm...I did everything you told me, and it doesn't seem to exist. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
But everything else seems to be working properly, and with that I am hopefully posting my last Hijack log...YAY!  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

I would also like to thank you for your time and trouble. I really appreciate it! Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 1:40:24 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iO\web\bin\server.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tobiasz\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: iOWebServer.lnk = C:\Program Files\iO\web\bin\server.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - F:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - F:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab
O16 - DPF: {BF22698D-3BED-4CB0-BA3A-64534FBC32B1} (SVWebPlayer Control) - http://www.seevideo.co.kr/pub/seevideo2002/SVWebPlayer.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
« Last Edit: April 25, 2005, 12:46:41 AM by tzielinski »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Slow and filled with Spyware
« Reply #11 on: April 25, 2005, 12:59:20 AM »
Looks good
You can go back and hide hidden files and folders

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
« Last Edit: April 25, 2005, 12:59:36 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »