WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

My Log

Started by b21bballer , Nov 05 2005 04:40 PM

Please log in to reply

10 replies to this topic

#1 b21bballer

Authentic Member

Authentic Member
57 posts

Posted 05 November 2005 - 04:40 PM

Logfile of HijackThis v1.99.1
Scan saved at 5:36:52 PM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoo...n.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddccy.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [eso] C:\WINDOWS\eso.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://hoylegames.si...cherControl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: ddccy - C:\WINDOWS\system32\ddccy.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\o4nsle571h.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - Unknown owner - C:\WINDOWS\system32\brsvc01a.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Advertisements

Register to Remove

#2 Micah_6:8

Evilware Emancipator

Authentic Member
10,060 posts

Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 06 November 2005 - 09:20 AM

Download L2mfix from one of these two locations:

l2mfix.exe (© Shadowwar)

l2mfix.exe (© Shadowwar)

Save the file to your desktop and <double-click> l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

<double-click> l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing <enter>.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log.

Copy/paste the contents of that log into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?

The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Download Hijack This! My Website: UnSpyMe!

#3 b21bballer

Authentic Member

Authentic Member
57 posts

Posted 06 November 2005 - 08:09 PM

L2MFIX find log 1.04a These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccy] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\system32\\ddccy.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\e4020edoeh0c0.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{F84A3361-6212-E58A-2E5D-C38F9B8F8FE5}"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet" "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management" "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page" "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page" "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing" "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension" "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension" "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension" "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension" "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page" "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page" "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler" "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension" "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects" "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management" "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management" "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression" "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension" "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI" "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu" "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase" "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext" "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts" "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile" "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page" "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing" "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension" "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension" "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension" "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections" "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections" "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras" "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras" "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras" "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras" "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras" "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host" "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link" "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler" "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension" "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks" "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu" "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search" "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support" "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..." "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet" "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail" "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts" "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools" "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler" "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler" "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler" "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler" "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler" "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor" "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar" "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status" "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder" "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2" "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy" "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand" "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band" "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band" "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search" "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search" "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility" "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address" "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox" "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete" "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor" "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List" "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List" "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible" "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar" "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser" "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List" "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List" "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container" "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu" "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp" "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar" "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite" "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist" "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings" "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band" "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service" "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer" "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture" "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut" "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service" "{FF393560-C2A7-11CF-BFF4-444553540000}"="History" "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files" "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook" "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen" "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook" "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC" "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC" "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet" "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space" "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band" "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service" "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder" "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr" "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder" "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent" "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent" "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent" "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent" "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent" "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler" "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager" "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator" "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher" "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs" "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory" "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor" "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)" "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor" "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler" "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard" "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web" "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object" "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard" "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts" "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler" "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target" "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File" "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut" "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object" "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu" "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties" "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview" "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext" "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control" "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control" "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control" "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control" "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control" "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI" "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object" "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find" "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find" "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI" "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs" "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook" "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target" "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties" "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu" "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options" "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell" "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%" "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler" "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer" "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..." "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{7F67036B-66F1-411A-AD85-759FB9C5B0DB}"="SampleView" "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults" "{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page" "{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions" "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder" "{61382B02-F89D-459A-8CA0-047D47C9FDAA}"="" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{61382B02-F89D-459A-8CA0-047D47C9FDAA}] @="" [HKEY_CLASSES_ROOT\CLSID\{61382B02-F89D-459A-8CA0-047D47C9FDAA}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{61382B02-F89D-459A-8CA0-047D47C9FDAA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{61382B02-F89D-459A-8CA0-047D47C9FDAA}\InprocServer32] @="C:\\WINDOWS\\system32\\iuetpp.dll" "ThreadingModel"="Apartment" ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ browseui.dll Fri Sep 2 2005 6:52:04p A.... 1,019,904 996.00 K ca2.dll Mon Oct 3 2005 12:20:50p A.... 77,824 76.00 K cdfview.dll Fri Sep 2 2005 6:52:04p A.... 151,040 147.50 K cdosys.dll Fri Sep 9 2005 8:53:42p A.... 2,067,968 1.97 M danim.dll Fri Sep 2 2005 6:52:04p A.... 1,053,696 1.00 M ddccy.dll Sat Sep 17 2005 10:40:28a ..SH. 528,404 516.02 K doprpres.dll Wed Nov 2 2005 2:32:34p ..S.R 417,792 408.00 K dxtrans.dll Fri Sep 2 2005 6:52:04p A.... 205,312 200.50 K e4020e~1.dll Sat Nov 5 2005 5:25:30p ..S.R 234,158 228.67 K extmgr.dll Fri Sep 2 2005 6:52:04p ..... 55,808 54.50 K hp0023~1.dll Sun Nov 6 2005 5:43:54p ..S.R 236,161 230.63 K iepeers.dll Fri Sep 2 2005 6:52:04p A.... 251,392 245.50 K inseng.dll Fri Sep 2 2005 6:52:04p A.... 96,256 94.00 K iuetpp.dll Sun Nov 6 2005 5:43:54p ..S.R 234,158 228.67 K jt2m07~1.dll Mon Oct 3 2005 4:04:24p ..S.R 417,792 408.00 K linkinfo.dll Wed Aug 31 2005 8:41:54p A.... 19,968 19.50 K m8poli~1.dll Wed Nov 2 2005 2:45:10p ..S.R 235,650 230.13 K mshtml.dll Tue Oct 4 2005 4:26:00p A.... 3,015,168 2.88 M mshtmled.dll Fri Sep 2 2005 6:52:06p A.... 448,512 438.00 K msrating.dll Fri Sep 2 2005 6:52:06p A.... 146,432 143.00 K mstime.dll Fri Sep 2 2005 6:52:06p A.... 530,432 518.00 K netman.dll Mon Aug 22 2005 1:29:46p A.... 197,632 193.00 K pngfilt.dll Fri Sep 2 2005 6:52:06p A.... 39,424 38.50 K quartz.dll Mon Aug 29 2005 10:54:26p A.... 1,287,168 1.23 M r0r60a~1.dll Sat Nov 5 2005 5:28:14p ..S.R 235,912 230.38 K sfi2.dll Mon Oct 3 2005 12:20:46p A.... 274,432 268.00 K shdocvw.dll Fri Sep 2 2005 6:52:06p A.... 1,483,776 1.41 M shell32.dll Thu Sep 22 2005 10:05:30p A.... 8,450,560 8.06 M shlwapi.dll Fri Sep 2 2005 6:52:06p A.... 473,600 462.50 K sjlsrv32.dll Sat Oct 29 2005 9:41:12a ..S.R 417,792 408.00 K tlext.dll Mon Oct 3 2005 12:19:46p ..S.R 417,792 408.00 K ugat.dll Mon Oct 3 2005 12:19:52p ..S.R 417,792 408.00 K umpnpmgr.dll Mon Aug 22 2005 10:35:42p A.... 123,392 120.50 K uqandlg.dll Mon Oct 3 2005 12:19:56p ..S.R 417,792 408.00 K urlmon.dll Fri Sep 2 2005 6:52:06p A.... 608,768 594.50 K vnpodbc.dll Tue Nov 1 2005 8:01:52p ..S.R 417,792 408.00 K wininet.dll Fri Sep 2 2005 6:52:06p A.... 658,432 643.00 K winsrv.dll Wed Aug 31 2005 8:41:54p A.... 291,840 285.00 K 38 items found: 38 files (13 H/S), 0 directories. Total of file sizes: 27,657,723 bytes 26.38 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C is PRESARIO Volume Serial Number is 9059-30A0 Directory of C:\WINDOWS\System32 11/06/2005 09:09 PM 225,069 yccdd.ini 11/06/2005 05:43 PM 234,158 iuetpp.dll 11/06/2005 05:43 PM 236,161 hp0023dmg.dll 11/05/2005 10:59 PM 223,926 yccdd.bak1 11/05/2005 05:28 PM 235,912 r0r60a9sed.dll 11/05/2005 05:25 PM 234,158 e4020edoeh0c0.dll 11/02/2005 02:45 PM 235,650 m8poli7318.dll 11/02/2005 02:32 PM 417,792 doprpres.dll 11/01/2005 08:01 PM 417,792 vnpodbc.dll 10/29/2005 09:41 AM 417,792 sjlsrv32.dll 10/16/2005 10:09 PM <DIR> dllcache 10/03/2005 04:04 PM 417,792 jt2m07f1e.dll 10/03/2005 12:19 PM 417,792 uqandlg.dll 10/03/2005 12:19 PM 417,792 ugat.dll 10/03/2005 12:19 PM 417,792 tlext.dll 09/17/2005 10:40 AM 528,404 ddccy.dll 10/11/2003 05:45 AM <DIR> Microsoft 15 File(s) 5,077,982 bytes 2 Dir(s) 61,171,855,360 bytes free

#4 Micah_6:8

Evilware Emancipator

Authentic Member
10,060 posts

Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 07 November 2005 - 04:14 PM

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning that should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
At this point press enter one time.
Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter:
At this point please type the following file path (make sure to enter it exactly as below!):
- C:\WINDOWS\system32\ddccy.dll
Press Enter to continue with the fix.
Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\yccdd.*
Press Enter to continue with the fix.
The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HijackThis, please place a check next to the following items and click FIX CHECKED:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddccy.dll

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe

O4 - HKCU\..\Run: [eso] C:\WINDOWS\eso.exe

O4 - Startup: PowerReg Scheduler V3.exe

O20 - Winlogon Notify: ddccy - C:\WINDOWS\system32\ddccy.dll

O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\o4nsle571h.dll
After you have fixed these items, close Hijackthis.
Press enter to exit the program then manually reboot your computer.
Once your machine reboots please continue with the instructions below.

Copy a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

#5 b21bballer

Authentic Member

Authentic Member
57 posts

Posted 07 November 2005 - 08:22 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:21:41 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Fixs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoo...n.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ddccy.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://hoylegames.si...cherControl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\jt4o07h3e.dll
O20 - Winlogon Notify: ddccy - C:\WINDOWS\system32\ddccy.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - Unknown owner - C:\WINDOWS\system32\brsvc01a.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Symantec Trojan.Vundo Removal Tool 1.4.0
The process "iexplore.exe" might be affected by the threat. It has been suspended.
The process "explorer.exe" contained a viral thread (00000694). The thread was terminated.
The process "explorer.exe" contained a viral thread (000006A4). The thread was terminated.
The process "explorer.exe" contained a viral thread (00000784). The thread was terminated.
The process "explorer.exe" contained a viral thread (00000788). The thread was terminated.
The process "iexplore.exe" might be affected by the threat. It has been terminated.

Process: 660 'winlogon.exe'. Module: 'C:\WINDOWS\system32\ddccy.dll' is malicious. Cannot open process!
Process: 1620 'explorer.exe'. Module: 'C:\WINDOWS\system32\ddccy.dll' is malicious. Module deactivated!
Winlogon plugin 'ddccy' -> dll file: 'C:\WINDOWS\system32\ddccy.dll' - is infected!
Deleted the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccy".
C:\System Volume Information: (not scanned)
C:\WINDOWS\system32\ddccy.dll: (will be deleted on next reboot)
registry: HKEY_CLASSES_ROOT\MSEvents.MSEvents (key deleted)
registry: HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 (key deleted)
registry: HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697} (key deleted)

The Trojan.Vundo removal was successful.
The system will delete 1 Trojan.Vundo files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 118526
The number of deleted files: 0
The number of viral processes terminated: 1
The number of viral processes suspended: 1
The number of viral threads terminated: 4
The number of registry entries fixed: 4

The tool initiated a system reboot.

#6 Micah_6:8

Evilware Emancipator

Authentic Member
10,060 posts

Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 07 November 2005 - 09:16 PM

Please rerun my instructions.

You ran the wrong tool:

Symantec Trojan.Vundo Removal Tool 1.4.0

#7 b21bballer

Authentic Member

Authentic Member
57 posts

Posted 09 November 2005 - 06:21 PM

Sorry, posted the wrong one. VundoFix V2.15 by Atri -------------------------------------------------------------------------------------- Listing files contained in the vundofix folder. -------------------------------------------------------------------------------------- killvundo.bat process.exe ReadMe.txt vundo.reg vundofix.txt -------------------------------------------------------------------------------------- Filepaths entered -------------------------------------------------------------------------------------- The filepath entered was C:\WINDOWS\system32\ddccy.dll The second filepath entered was C:\WINDOWS\system32\yccdd.dll -------------------------------------------------------------------------------------- Log from Process -------------------------------------------------------------------------------------- Killing PID 136 'smss.exe' Error 0x6 : The handle is invalid. Killing PID 732 'explorer.exe' Killing PID 656 'rundll32.exe' Killing PID 656 'rundll32.exe' Killing PID 656 'rundll32.exe' Killing PID 656 'rundll32.exe' Killing PID 656 'rundll32.exe' Killing PID 212 'winlogon.exe' Error 0x6 : The handle is invalid. -------------------------------------------------------------------------------------- Could not delete C:\WINDOWS\system32\ddccy.dll. C:\WINDOWS\system32\yccdd.dll Deleted sucessfully. Fixing Registry --------------------------------------------------------------------------------------

#8 Micah_6:8

Evilware Emancipator

Authentic Member
10,060 posts

Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 09 November 2005 - 07:35 PM

Download the trial version of Spy Sweeper.

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so. (This may take several minutes)
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.
When the sweep has finished, click Remove to remove any items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.
Exit Spy Sweeper.

Reboot normally and scan with HijackThis. Post the new log as a reply to this thread. Include the Spy Sweeper session log.

#9 b21bballer

Authentic Member

Authentic Member
57 posts

Posted 10 November 2005 - 06:34 PM

********
7:13 PM: | Start of Session, Thursday, November 10, 2005 |
7:13 PM: Spy Sweeper started
7:13 PM: Sweep initiated using definitions version 571
7:13 PM: Starting Memory Sweep
7:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:14 PM: Found Adware: icannnews
7:14 PM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
7:14 PM: Found Adware: virtumonde
7:14 PM: Detected running threat: C:\WINDOWS\system32\ddccy.dll (ID = 77)
7:14 PM: Detected running threat: C:\WINDOWS\system32\kt48l7hu1.dll (ID = 83)
7:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:15 PM: Detected running threat: C:\WINDOWS\system32\cxyptui.dll (ID = 83)
7:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:17 PM: Memory Sweep Complete, Elapsed Time: 00:03:46
7:17 PM: Starting Registry Sweep
7:18 PM: Found Adware: look2me
7:18 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\h323tsp\ (6 subtraces) (ID = 129939)
7:18 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
7:18 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
7:18 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
7:18 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
7:18 PM: Found Adware: ist yoursitebar
7:18 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\conflict.1\ysbactivex.dll (ID = 762453)
7:18 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324)
7:18 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338)
7:18 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351)
7:18 PM: Found Trojan Horse: 2nd-thought
7:18 PM: HKU\S-1-5-21-579048704-2228840358-292467358-1003\software\winupdt\ (2 subtraces) (ID = 102022)
7:18 PM: Registry Sweep Complete, Elapsed Time:00:00:27
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:18 PM: Starting Cookie Sweep
7:18 PM: Found Spy Cookie: primaryads cookie
7:18 PM: owner@1.primaryads[2].txt (ID = 3190)
7:18 PM: Found Spy Cookie: 10101 cookie
7:18 PM: owner@10101[1].txt (ID = 1917)
7:18 PM: Found Spy Cookie: 10102 cookie
7:18 PM: owner@10102[2].txt (ID = 1919)
7:18 PM: Found Spy Cookie: 10105 cookie
7:18 PM: owner@10105[2].txt (ID = 1923)
7:18 PM: Found Spy Cookie: 2o7.net cookie
7:18 PM: owner@2o7[2].txt (ID = 1957)
7:18 PM: Found Spy Cookie: 365 cookie
7:18 PM: owner@365[1].txt (ID = 1963)
7:18 PM: Found Spy Cookie: 382 cookie
7:18 PM: owner@382[1].txt (ID = 1965)
7:18 PM: Found Spy Cookie: 3 cookie
7:18 PM: owner@3[2].txt (ID = 1959)
7:18 PM: Found Spy Cookie: 412 cookie
7:18 PM: owner@412[1].txt (ID = 1969)
7:18 PM: Found Spy Cookie: 5 cookie
7:18 PM: owner@5[2].txt (ID = 1979)
7:18 PM: Found Spy Cookie: 64.62.232 cookie
7:18 PM: owner@64.62.232[1].txt (ID = 1987)
7:18 PM: owner@64.62.232[2].txt (ID = 1987)
7:18 PM: owner@64.62.232[3].txt (ID = 1987)
7:18 PM: owner@64.62.232[4].txt (ID = 1987)
7:18 PM: owner@64.62.232[6].txt (ID = 1987)
7:18 PM: Found Spy Cookie: 69.28.210 cookie
7:18 PM: owner@69.28.210[1].txt (ID = 2003)
7:18 PM: Found Spy Cookie: 735 cookie
7:18 PM: owner@735[1].txt (ID = 2009)
7:18 PM: Found Spy Cookie: 80503492 cookie
7:18 PM: owner@80503492[1].txt (ID = 2013)
7:18 PM: Found Spy Cookie: 888 cookie
7:18 PM: owner@888[1].txt (ID = 2019)
7:18 PM: owner@888[2].txt (ID = 2019)
7:18 PM: Found Spy Cookie: websponsors cookie
7:18 PM: owner@a.websponsors[2].txt (ID = 3665)
7:18 PM: Found Spy Cookie: abetterinternet cookie
7:18 PM: owner@abetterinternet[2].txt (ID = 2035)
7:18 PM: owner@abetterinternet[3].txt (ID = 2035)
7:18 PM: Found Spy Cookie: about cookie
7:18 PM: owner@about[2].txt (ID = 2037)
7:18 PM: Found Spy Cookie: yieldmanager cookie
7:18 PM: owner@ad.yieldmanager[2].txt (ID = 3751)
7:18 PM: owner@ad.yieldmanager[3].txt (ID = 3751)
7:18 PM: owner@adam.about[1].txt (ID = 2038)
7:18 PM: Found Spy Cookie: adecn cookie
7:18 PM: owner@adecn[1].txt (ID = 2063)
7:18 PM: Found Spy Cookie: adknowledge cookie
7:18 PM: owner@adknowledge[2].txt (ID = 2072)
7:18 PM: owner@adknowledge[3].txt (ID = 2072)
7:18 PM: Found Spy Cookie: adlegend cookie
7:18 PM: owner@adlegend[1].txt (ID = 2074)
7:18 PM: owner@adlegend[2].txt (ID = 2074)
7:18 PM: Found Spy Cookie: hbmediapro cookie
7:18 PM: owner@adopt.hbmediapro[1].txt (ID = 2768)
7:18 PM: owner@adopt.hbmediapro[3].txt (ID = 2768)
7:18 PM: Found Spy Cookie: hotbar cookie
7:18 PM: owner@adopt.hotbar[2].txt (ID = 4207)
7:18 PM: Found Spy Cookie: precisead cookie
7:18 PM: owner@adopt.precisead[2].txt (ID = 3182)
7:18 PM: Found Spy Cookie: specificclick.com cookie
7:18 PM: owner@adopt.specificclick[1].txt (ID = 3400)
7:18 PM: owner@adopt.specificclick[2].txt (ID = 3400)
7:18 PM: Found Spy Cookie: adprofile cookie
7:18 PM: owner@adprofile[2].txt (ID = 2084)
7:18 PM: Found Spy Cookie: cc214142 cookie
7:18 PM: owner@ads.cc214142[2].txt (ID = 2367)
7:18 PM: Found Spy Cookie: adultfriendfinder cookie
7:18 PM: owner@adultfriendfinder[1].txt (ID = 2165)
7:18 PM: Found Spy Cookie: advertising cookie
7:18 PM: owner@advertising[2].txt (ID = 2175)
7:18 PM: Found Spy Cookie: affiliate cookie
7:18 PM: owner@affiliate[2].txt (ID = 2199)
7:18 PM: Found Spy Cookie: atwola cookie
7:18 PM: owner@ar.atwola[1].txt (ID = 2256)
7:18 PM: Found Spy Cookie: falkag cookie
7:18 PM: owner@as-eu.falkag[1].txt (ID = 2650)
7:18 PM: Found Spy Cookie: ask cookie
7:18 PM: owner@ask[1].txt (ID = 2245)
7:18 PM: owner@ask[2].txt (ID = 2245)
7:18 PM: Found Spy Cookie: atlas dmt cookie
7:18 PM: owner@atdmt[2].txt (ID = 2253)
7:18 PM: Found Spy Cookie: belnk cookie
7:18 PM: owner@ath.belnk[2].txt (ID = 2293)
7:18 PM: owner@atwola[1].txt (ID = 2255)
7:18 PM: owner@atwola[2].txt (ID = 2255)
7:18 PM: owner@atwola[3].txt (ID = 2255)
7:18 PM: owner@atwola[4].txt (ID = 2255)
7:18 PM: Found Spy Cookie: azjmp cookie
7:18 PM: owner@azjmp[1].txt (ID = 2270)
7:18 PM: owner@azjmp[2].txt (ID = 2270)
7:18 PM: Found Spy Cookie: a cookie
7:18 PM: owner@a[1].txt (ID = 2027)
7:18 PM: owner@a[2].txt (ID = 2027)
7:18 PM: Found Spy Cookie: searchingbooth cookie
7:18 PM: owner@banners.searchingbooth[1].txt (ID = 3322)
7:18 PM: Found Spy Cookie: banners cookie
7:18 PM: owner@banners[1].txt (ID = 2282)
7:18 PM: Found Spy Cookie: banner cookie
7:18 PM: owner@banner[1].txt (ID = 2276)
7:18 PM: owner@banner[2].txt (ID = 2276)
7:18 PM: owner@belnk[1].txt (ID = 2292)
7:18 PM: owner@belnk[3].txt (ID = 2292)
7:18 PM: Found Spy Cookie: btgrab cookie
7:18 PM: owner@btg.btgrab[1].txt (ID = 2333)
7:18 PM: Found Spy Cookie: burstnet cookie
7:18 PM: owner@burstnet[2].txt (ID = 2336)
7:18 PM: Found Spy Cookie: top-banners cookie
7:18 PM: owner@campaigns.top-banners[1].txt (ID = 3548)
7:18 PM: Found Spy Cookie: casalemedia cookie
7:18 PM: owner@casalemedia[1].txt (ID = 2354)
7:18 PM: Found Spy Cookie: cassava cookie
7:18 PM: owner@cassava[1].txt (ID = 2362)
7:18 PM: Found Spy Cookie: centrport net cookie
7:18 PM: owner@centrport[2].txt (ID = 2374)
7:18 PM: Found Spy Cookie: cliks cookie
7:18 PM: owner@cliks[2].txt (ID = 2414)
7:18 PM: owner@cliks[3].txt (ID = 2414)
7:18 PM: Found Spy Cookie: columbiahouse cookie
7:18 PM: owner@columbiahouse[2].txt (ID = 2443)
7:18 PM: Found Spy Cookie: controlsearch cookie
7:18 PM: owner@controlsearch[1].txt (ID = 2463)
7:18 PM: Found Spy Cookie: tickle cookie
7:18 PM: owner@cookie.tickle[1].txt (ID = 3530)
7:18 PM: Found Spy Cookie: webtrendslive cookie
7:18 PM: owner@dcskj8813erp17fjun7lek17w_1p6b[1].txt (ID = 3675)
7:18 PM: Found Spy Cookie: dianesdes cookie
7:18 PM: owner@dianesdes[1].txt (ID = 2521)
7:18 PM: Found Spy Cookie: directtrack cookie
7:18 PM: owner@directtrack[1].txt (ID = 2527)
7:18 PM: owner@dist.belnk[1].txt (ID = 2293)
7:18 PM: owner@dist.belnk[2].txt (ID = 2293)
7:18 PM: Found Spy Cookie: dlmax cookie
7:18 PM: owner@dlm.dlmax[2].txt (ID = 2532)
7:18 PM: Found Spy Cookie: dutchmen cookie
7:18 PM: owner@Dutchmen[2].txt (ID = 2545)
7:18 PM: owner@eforcemedia.directtrack[2].txt (ID = 2528)
7:18 PM: Found Spy Cookie: exitexchange cookie
7:18 PM: owner@exitexchange[2].txt (ID = 2633)
7:18 PM: Found Spy Cookie: experclick cookie
7:18 PM: owner@experclick[2].txt (ID = 2639)
7:18 PM: Found Spy Cookie: go.com cookie
7:18 PM: owner@familyfun.go[2].txt (ID = 2729)
7:18 PM: Found Spy Cookie: fastclick cookie
7:18 PM: owner@fastclick[2].txt (ID = 2651)
7:18 PM: owner@go[1].txt (ID = 2728)
7:18 PM: Found Spy Cookie: starware.com cookie
7:18 PM: owner@h.starware[2].txt (ID = 3442)
7:18 PM: Found Spy Cookie: clickandtrack cookie
7:18 PM: owner@hits.clickandtrack[1].txt (ID = 2397)
7:18 PM: owner@hits.clickandtrack[2].txt (ID = 2397)
7:18 PM: Found Spy Cookie: homestore cookie
7:18 PM: owner@homestore[2].txt (ID = 2793)
7:18 PM: Found Spy Cookie: hypertracker.com cookie
7:18 PM: owner@hypertracker[2].txt (ID = 2817)
7:18 PM: Found Spy Cookie: screensavers.com cookie
7:18 PM: owner@i.screensavers[1].txt (ID = 3298)
7:18 PM: owner@i.screensavers[2].txt (ID = 3298)
7:18 PM: Found Spy Cookie: ic-live cookie
7:18 PM: owner@ic-live[1].txt (ID = 2821)
7:18 PM: owner@jas.familyfun.go[1].txt (ID = 2729)
7:18 PM: Found Spy Cookie: sb01 cookie
7:18 PM: owner@jp1.sb01[1].txt (ID = 3288)
7:18 PM: Found Spy Cookie: mcverry cookie
7:18 PM: owner@mcverry[1].txt (ID = 2970)
7:18 PM: owner@media.top-banners[1].txt (ID = 3548)
7:18 PM: Found Spy Cookie: metareward.com cookie
7:18 PM: owner@metareward[1].txt (ID = 2990)
7:18 PM: owner@msnportal.112.2o7[1].txt (ID = 1958)
7:18 PM: Found Spy Cookie: nextag cookie
7:18 PM: owner@nextag[1].txt (ID = 5014)
7:18 PM: Found Spy Cookie: offeroptimizer cookie
7:18 PM: owner@offeroptimizer[1].txt (ID = 3087)
7:18 PM: owner@offeroptimizer[2].txt (ID = 3087)
7:18 PM: owner@offeroptimizer[4].txt (ID = 3087)
7:18 PM: Found Spy Cookie: touchclarity cookie
7:18 PM: owner@partypoker.touchclarity[1].txt (ID = 3567)
7:18 PM: Found Spy Cookie: partypoker cookie
7:18 PM: owner@partypoker[1].txt (ID = 3111)
7:18 PM: Found Spy Cookie: paypopup cookie
7:18 PM: owner@paypopup[1].txt (ID = 3119)
7:18 PM: owner@popunder.paypopup[1].txt (ID = 3120)
7:18 PM: Found Spy Cookie: questionmarket cookie
7:18 PM: owner@questionmarket[1].txt (ID = 3217)
7:18 PM: Found Spy Cookie: realmedia cookie
7:18 PM: owner@realmedia[2].txt (ID = 3235)
7:18 PM: Found Spy Cookie: rednova cookie
7:18 PM: owner@rednova[1].txt (ID = 3245)
7:18 PM: owner@register.go[1].txt (ID = 2729)
7:18 PM: Found Spy Cookie: rightmedia cookie
7:18 PM: owner@rightmedia[2].txt (ID = 3259)
7:18 PM: Found Spy Cookie: rn11 cookie
7:18 PM: owner@rn11[2].txt (ID = 3261)
7:18 PM: owner@rn11[3].txt (ID = 3261)
7:18 PM: Found Spy Cookie: urllogic cookie
7:18 PM: owner@s.urllogic[2].txt (ID = 3617)
7:18 PM: Found Spy Cookie: search123 cookie
7:18 PM: owner@search123[2].txt (ID = 3305)
7:18 PM: Found Spy Cookie: servedby advertising cookie
7:18 PM: owner@servedby.advertising[1].txt (ID = 3335)
7:18 PM: Found Spy Cookie: snakeman cookie
7:18 PM: owner@Snakeman[1].txt (ID = 3391)
7:18 PM: owner@spanish.about[1].txt (ID = 2038)
7:18 PM: Found Spy Cookie: spywarestormer cookie
7:18 PM: owner@spywarestormer[1].txt (ID = 3417)
7:18 PM: owner@starware[2].txt (ID = 3441)
7:18 PM: owner@starware[3].txt (ID = 3441)
7:18 PM: Found Spy Cookie: dealtime cookie
7:18 PM: owner@stat.dealtime[2].txt (ID = 2506)
7:18 PM: Found Spy Cookie: statstracking cookie
7:18 PM: owner@stats-tracking[2].txt (ID = 3453)
7:18 PM: Found Spy Cookie: reliablestats cookie
7:18 PM: owner@stats1.reliablestats[1].txt (ID = 3254)
7:18 PM: owner@stats1.reliablestats[3].txt (ID = 3254)
7:18 PM: Found Spy Cookie: stlyrics cookie
7:18 PM: owner@stlyrics[2].txt (ID = 3461)
7:18 PM: Found Spy Cookie: tradedoubler cookie
7:18 PM: owner@tradedoubler[1].txt (ID = 3575)
7:18 PM: Found Spy Cookie: trafficmp cookie
7:18 PM: owner@trafficmp[2].txt (ID = 3581)
7:18 PM: owner@video.movies.go[1].txt (ID = 2729)
7:18 PM: Found Spy Cookie: videodome cookie
7:18 PM: owner@videodome[1].txt (ID = 3638)
7:18 PM: Found Spy Cookie: wizzle cookie
7:18 PM: owner@wizzle[1].txt (ID = 3695)
7:18 PM: Found Spy Cookie: brazilwelcomesyou cookie
7:18 PM: owner@www.brazilwelcomesyou[1].txt (ID = 2325)
7:18 PM: Found Spy Cookie: burstbeacon cookie
7:18 PM: owner@www.burstbeacon[2].txt (ID = 2335)
7:18 PM: Found Spy Cookie: checknfind cookie
7:18 PM: owner@www.checknfind[2].txt (ID = 2379)
7:18 PM: Found Spy Cookie: eadexchange cookie
7:18 PM: owner@www.eadexchange[2].txt (ID = 2556)
7:18 PM: Found Spy Cookie: find-direct cookie
7:18 PM: owner@www.find-direct[2].txt (ID = 2667)
7:18 PM: Found Spy Cookie: letitfind cookie
7:18 PM: owner@www.letitfind[2].txt (ID = 2919)
7:18 PM: Found Spy Cookie: myaffiliateprogram.com cookie
7:18 PM: owner@www.myaffiliateprogram[2].txt (ID = 3032)
7:18 PM: owner@www.screensavers[1].txt (ID = 3298)
7:18 PM: owner@www.starware[1].txt (ID = 3442)
7:18 PM: Found Spy Cookie: thecoolbar cookie
7:18 PM: owner@www.thecoolbar[2].txt (ID = 3522)
7:18 PM: Found Spy Cookie: toprebates.com cookie
7:18 PM: owner@www.toprebates[2].txt (ID = 3562)
7:18 PM: Found Spy Cookie: topseeker cookie
7:18 PM: owner@www.topseeker[1].txt (ID = 3564)
7:18 PM: Found Spy Cookie: winantiviruspro cookie
7:18 PM: owner@www.winantiviruspro[2].txt (ID = 3690)
7:18 PM: owner@www.winantiviruspro[3].txt (ID = 3690)
7:18 PM: Found Spy Cookie: xzoomy cookie
7:18 PM: owner@www.xzoomy[1].txt (ID = 3742)
7:18 PM: Found Spy Cookie: franklinsurveys cookie
7:18 PM: owner@www2.franklinsurveys[1].txt (ID = 2691)
7:18 PM: owner@yieldmanager[2].txt (ID = 3749)
7:18 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
7:18 PM: Starting File Sweep
7:18 PM: Found Adware: fizzlebar
7:18 PM: c:\program files\fwbartemp (2 subtraces) (ID = -2147468666)
7:18 PM: c:\windows\bundles (8 subtraces) (ID = -2147481535)
7:18 PM: Found Adware: ietoolbar
7:18 PM: c:\program files\mbkwbar (2 subtraces) (ID = -2147480848)
7:18 PM: Found Adware: search3 toolbar
7:18 PM: c:\program files\search3 toolbar (1 subtraces) (ID = -2147480360)
7:18 PM: Found Adware: abcsearch
7:18 PM: c:\documents and settings\all users\application data\msw (7 subtraces) (ID = -2147481510)
7:18 PM: Found Adware: shopathomeselect
7:18 PM: temp.frc10c (ID = 164522)
7:18 PM: appwrap[1].exe (ID = 65722)
7:18 PM: toc_0032.exe (ID = 48357)
7:18 PM: bw2.com (ID = 65722)
7:18 PM: Found Adware: directrevenue-abetterinternet
7:18 PM: aurareco.exe (ID = 83135)
7:18 PM: toc_0035[1].exe (ID = 48357)
7:18 PM: toc_0035.exe (ID = 48357)
7:18 PM: 8cm6uf0h.dat (ID = 159521)
7:18 PM: Found Trojan Horse: alwaysupdatednews
7:18 PM: aun_0001[1].exe (ID = 49884)
7:19 PM: mbkwnst.cab (ID = 63429)
7:19 PM: ysbactivex.dll (ID = 91027)
7:19 PM: vnpodbc.dll (ID = 154598)
7:19 PM: Found Trojan Horse: trojan-downloader-pacisoft
7:19 PM: pcs_0006[1].exe (ID = 71760)
7:19 PM: aun_0018[1].exe (ID = 49884)
7:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:19 PM: Found Adware: ieplugin
7:19 PM: enhupdt.exe (ID = 63349)
7:19 PM: toc_0032.exe (ID = 48357)
7:19 PM: dlmax.cab (ID = 83262)
7:19 PM: toc_0035.exe (ID = 48357)
7:19 PM: dlmax.dll (ID = 83265)
7:19 PM: toc_0035[1].exe (ID = 48357)
7:19 PM: toc_0032.exe (ID = 48357)
7:19 PM: aun_0001[1].exe (ID = 49884)
7:19 PM: aurareco.exe (ID = 83135)
7:19 PM: tlext.dll (ID = 93700)
7:19 PM: ugat.dll (ID = 93700)
7:19 PM: upgrade.exe (ID = 75963)
7:19 PM: enhupdt.exe (ID = 63349)
7:19 PM: aurareco.exe (ID = 83135)
7:19 PM: aurareco.exe (ID = 83135)
7:19 PM: aurareco.exe (ID = 83135)
7:19 PM: ysbactivex.dll (ID = 91017)
7:19 PM: Found Adware: dealhelper
7:19 PM: zibjtpu2.xml (ID = 57651)
7:19 PM: aun_0001[1].exe (ID = 49884)
7:20 PM: enhtb.exe (ID = 63347)
7:20 PM: aurareco.exe (ID = 83135)
7:20 PM: aun_0029[1].exe (ID = 49884)
7:20 PM: searchbar.exe (ID = 61060)
7:20 PM: mbkwnst.cab (ID = 63429)
7:20 PM: aurareco.exe (ID = 83135)
7:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:20 PM: Found Adware: apropos
7:20 PM: aproposclientinstaller[1].exe (ID = 50020)
7:20 PM: aurareco.exe (ID = 83135)
7:20 PM: aurareco.exe (ID = 83135)
7:20 PM: Found Adware: my daily horoscope
7:20 PM: setup_silent_26221.exe (ID = 70252)
7:20 PM: aurareco.exe (ID = 83135)
7:20 PM: aurareco.exe (ID = 83135)
7:20 PM: inst28[1].exe (ID = 49893)
7:20 PM: Found Adware: searchforit
7:20 PM: ven_d1.exe (ID = 75081)
7:21 PM: bsfi1001.exe (ID = 164522)
7:21 PM: wmplayer.exe.tmp (ID = 49893)
7:21 PM: msw.exe (ID = 48566)
7:21 PM: msw_uninstall.exe (ID = 48573)
7:21 PM: aun_0029[1].exe (ID = 49884)
7:21 PM: aproposclientinstaller[1].exe (ID = 50020)
7:21 PM: aurareco.exe (ID = 83135)
7:21 PM: enhupdt.exe (ID = 63349)
7:21 PM: pcs_0006[1].exe (ID = 71760)
7:21 PM: track6[1].chm (ID = 71766)
7:21 PM: aun_0018[1].exe (ID = 49884)
7:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:22 PM: zibjtpk2.xml (ID = 57648)
7:22 PM: appwrap[1].exe (ID = 65739)
7:22 PM: uqandlg.dll (ID = 154598)
7:22 PM: icont.exe (ID = 65739)
7:22 PM: kl68g2p1.dat (ID = 159521)
7:22 PM: Found Adware: bookedspace
7:22 PM: eijbhnzc.exe (ID = 51662)
7:22 PM: aun_0001.exe (ID = 49884)
7:22 PM: enhupdt.exe (ID = 63349)
7:22 PM: inst12[1].exe (ID = 49891)
7:22 PM: zibjtpk.xml (ID = 57646)
7:22 PM: zibjtpk1.xml (ID = 57647)
7:22 PM: i7c228of.dat (ID = 75949)
7:22 PM: ca2.dll (ID = 94667)
7:22 PM: sfi2.dll (ID = 112321)
7:22 PM: mbkwnst.cab (ID = 63429)
7:22 PM: Found Adware: isearch toolbar
7:22 PM: cmdinst.exe (ID = 154747)
7:22 PM: jt2m07f1e.dll (ID = 154598)
7:22 PM: installer.exe (ID = 93698)
7:22 PM: Found Adware: 180search assistant/zango
7:22 PM: res422.tmp (ID = 107353)
7:22 PM: upd209.exe (ID = 153729)
7:22 PM: zibjtpu1.xml (ID = 57650)
7:22 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: t8uafh8t.dat (ID = 75949)
7:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: inst28[1].exe (ID = 49893)
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: enhtb.dll (ID = 63346)
7:23 PM: ietoolbar.dll (ID = 63423)
7:23 PM: search3.dll (ID = 74840)
7:23 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:23 PM: mbkwbar.exe (ID = 63427)
7:23 PM: bman.exe (ID = 48559)
7:23 PM: toc_0035.exe (ID = 48357)
7:23 PM: enhuninstall.exe (ID = 63348)
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: cohelper.exe (ID = 61054)
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: doprpres.dll (ID = 154598)
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: track6[1].chm (ID = 71766)
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation denied at user request
7:24 PM: BHO Shield: found: ddccy.dll-- BHO installation allowed at user request
7:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:24 PM: zibjtpu.xml (ID = 57649)
7:24 PM: sjlsrv32.dll (ID = 154598)
7:25 PM: Found Adware: internetoptimizer
7:25 PM: cfin (ID = 64026)
7:25 PM: Found Adware: powerscan
7:25 PM: power scan.lnk (ID = 72676)
7:25 PM: inst12[1].exe (ID = 49891)
7:25 PM: cfout.txt (ID = 64027)
7:25 PM: track6[1].chm (ID = 71766)
7:25 PM: runsearch.exe (ID = 74842)
7:25 PM: aproposclientinstaller[1].exe (ID = 50020)
7:25 PM: Found Adware: ezula ilookup
7:25 PM: vl_ezstub.exe (ID = 60659)
7:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:26 PM: Found Adware: websearch toolbar
7:26 PM: tbuninst.exe (ID = 85854)
7:26 PM: lsp_setup.exe (ID = 75818)
7:26 PM: inst28[1].exe (ID = 49893)
7:26 PM: Found Adware: ipinsight
7:26 PM: conscorr.ini (ID = 64264)
7:26 PM: dlmax.inf (ID = 83267)
7:26 PM: fellymedia1002.sah (ID = 75733)
7:26 PM: conscorr.inf (ID = 64277)
7:26 PM: wininit.ini (ID = 63389)
7:26 PM: conscorr.inf (ID = 64277)
7:26 PM: zibjtpdk.xml (ID = 57645)
7:26 PM: conscorr.ini (ID = 64264)
7:26 PM: conscorr.ini (ID = 64264)
7:26 PM: h63v2629j_.ini (ID = 75785)
7:26 PM: conscorr.inf (ID = 64277)
7:26 PM: dlmax.inf (ID = 83267)
7:26 PM: uu1en13ec_.ini (ID = 75964)
7:26 PM: setup4003.ini (ID = 75708)
7:26 PM: fellymedia1002.sah (ID = 75733)
7:26 PM: dlmax.inf (ID = 83267)
7:26 PM: fellymedia1002.sah (ID = 75733)
7:26 PM: dlmax.inf (ID = 83267)
7:26 PM: conscorr.inf (ID = 64277)
7:27 PM: File Sweep Complete, Elapsed Time: 00:08:52
7:27 PM: Full Sweep has completed. Elapsed time 00:13:20
7:27 PM: Traces Found: 361
7:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
7:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
7:27 PM: Removal process initiated
7:27 PM: Quarantining All Traces: 180search assistant/zango
7:27 PM: Quarantining All Traces: 2nd-thought
7:27 PM: Quarantining All Traces: directrevenue-abetterinternet
7:28 PM: Quarantining All Traces: icannnews
7:28 PM: icannnews is in use. It will be removed on reboot.
7:28 PM: C:\WINDOWS\system32\guard.tmp is in use. It will be removed on reboot.
7:28 PM: C:\WINDOWS\system32\kt48l7hu1.dll is in use. It will be removed on reboot.
7:28 PM: C:\WINDOWS\system32\cxyptui.dll is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: look2me
7:28 PM: Quarantining All Traces: virtumonde
7:28 PM: virtumonde is in use. It will be removed on reboot.
7:28 PM: C:\WINDOWS\system32\ddccy.dll is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: websearch toolbar
7:28 PM: Quarantining All Traces: alwaysupdatednews
7:28 PM: Quarantining All Traces: apropos
7:28 PM: Quarantining All Traces: internetoptimizer
7:28 PM: Quarantining All Traces: searchforit
7:28 PM: Quarantining All Traces: trojan-downloader-pacisoft
7:28 PM: Quarantining All Traces: abcsearch
7:28 PM: Quarantining All Traces: bookedspace
7:28 PM: Quarantining All Traces: dealhelper
7:28 PM: Quarantining All Traces: ezula ilookup
7:28 PM: ezula ilookup is in use. It will be removed on reboot.
7:28 PM: vl_ezstub.exe is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: fizzlebar
7:28 PM: Quarantining All Traces: ieplugin
7:28 PM: Quarantining All Traces: ietoolbar
7:28 PM: Quarantining All Traces: ipinsight
7:28 PM: Quarantining All Traces: isearch toolbar
7:28 PM: Quarantining All Traces: ist yoursitebar
7:28 PM: Quarantining All Traces: my daily horoscope
7:28 PM: my daily horoscope is in use. It will be removed on reboot.
7:28 PM: setup_silent_26221.exe is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: powerscan
7:28 PM: Quarantining All Traces: search3 toolbar
7:28 PM: search3 toolbar is in use. It will be removed on reboot.
7:28 PM: runsearch.exe is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: shopathomeselect
7:28 PM: Quarantining All Traces: 10101 cookie
7:28 PM: Quarantining All Traces: 10102 cookie
7:28 PM: Quarantining All Traces: 10105 cookie
7:28 PM: Quarantining All Traces: 2o7.net cookie
7:28 PM: Quarantining All Traces: 3 cookie
7:28 PM: Quarantining All Traces: 365 cookie
7:28 PM: Quarantining All Traces: 382 cookie
7:28 PM: Quarantining All Traces: 412 cookie
7:28 PM: Quarantining All Traces: 5 cookie
7:28 PM: Quarantining All Traces: 64.62.232 cookie
7:28 PM: Quarantining All Traces: 69.28.210 cookie
7:28 PM: Quarantining All Traces: 735 cookie
7:28 PM: Quarantining All Traces: 80503492 cookie
7:28 PM: Quarantining All Traces: 888 cookie
7:28 PM: Quarantining All Traces: a cookie
7:28 PM: Quarantining All Traces: abetterinternet cookie
7:28 PM: Quarantining All Traces: about cookie
7:28 PM: Quarantining All Traces: adecn cookie
7:28 PM: Quarantining All Traces: adknowledge cookie
7:28 PM: Quarantining All Traces: adlegend cookie
7:28 PM: Quarantining All Traces: adprofile cookie
7:28 PM: Quarantining All Traces: adultfriendfinder cookie
7:28 PM: Quarantining All Traces: advertising cookie
7:28 PM: Quarantining All Traces: affiliate cookie
7:28 PM: Quarantining All Traces: ask cookie
7:28 PM: Quarantining All Traces: atlas dmt cookie
7:28 PM: Quarantining All Traces: atwola cookie
7:28 PM: Quarantining All Traces: azjmp cookie
7:28 PM: Quarantining All Traces: banner cookie
7:28 PM: Quarantining All Traces: banners cookie
7:28 PM: Quarantining All Traces: belnk cookie
7:28 PM: Quarantining All Traces: brazilwelcomesyou cookie
7:28 PM: Quarantining All Traces: btgrab cookie
7:28 PM: Quarantining All Traces: burstbeacon cookie
7:28 PM: Quarantining All Traces: burstnet cookie
7:28 PM: Quarantining All Traces: casalemedia cookie
7:28 PM: Quarantining All Traces: cassava cookie
7:28 PM: Quarantining All Traces: cc214142 cookie
7:28 PM: Quarantining All Traces: centrport net cookie
7:28 PM: Quarantining All Traces: checknfind cookie
7:28 PM: Quarantining All Traces: clickandtrack cookie
7:28 PM: Quarantining All Traces: cliks cookie
7:28 PM: Quarantining All Traces: columbiahouse cookie
7:28 PM: Quarantining All Traces: controlsearch cookie
7:28 PM: Quarantining All Traces: dealtime cookie
7:28 PM: Quarantining All Traces: dianesdes cookie
7:28 PM: Quarantining All Traces: directtrack cookie
7:28 PM: Quarantining All Traces: dlmax cookie
7:28 PM: Quarantining All Traces: dutchmen cookie
7:28 PM: Quarantining All Traces: eadexchange cookie
7:28 PM: Quarantining All Traces: exitexchange cookie
7:28 PM: Quarantining All Traces: experclick cookie
7:28 PM: Quarantining All Traces: falkag cookie
7:28 PM: Quarantining All Traces: fastclick cookie
7:28 PM: Quarantining All Traces: find-direct cookie
7:28 PM: Quarantining All Traces: franklinsurveys cookie
7:28 PM: Quarantining All Traces: go.com cookie
7:28 PM: Quarantining All Traces: hbmediapro cookie
7:28 PM: Quarantining All Traces: homestore cookie
7:28 PM: Quarantining All Traces: hotbar cookie
7:28 PM: Quarantining All Traces: hypertracker.com cookie
7:28 PM: Quarantining All Traces: ic-live cookie
7:28 PM: Quarantining All Traces: letitfind cookie
7:28 PM: Quarantining All Traces: mcverry cookie
7:28 PM: Quarantining All Traces: metareward.com cookie
7:28 PM: Quarantining All Traces: myaffiliateprogram.com cookie
7:28 PM: Quarantining All Traces: nextag cookie
7:28 PM: Quarantining All Traces: offeroptimizer cookie
7:28 PM: Quarantining All Traces: partypoker cookie
7:28 PM: Quarantining All Traces: paypopup cookie
7:28 PM: Quarantining All Traces: precisead cookie
7:28 PM: Quarantining All Traces: primaryads cookie
7:28 PM: Quarantining All Traces: questionmarket cookie
7:28 PM: Quarantining All Traces: realmedia cookie
7:28 PM: Quarantining All Traces: rednova cookie
7:28 PM: Quarantining All Traces: reliablestats cookie
7:28 PM: Quarantining All Traces: rightmedia cookie
7:28 PM: Quarantining All Traces: rn11 cookie
7:28 PM: Quarantining All Traces: sb01 cookie
7:28 PM: Quarantining All Traces: screensavers.com cookie
7:28 PM: Quarantining All Traces: search123 cookie
7:28 PM: Quarantining All Traces: searchingbooth cookie
7:28 PM: Quarantining All Traces: servedby advertising cookie
7:28 PM: Quarantining All Traces: snakeman cookie
7:28 PM: Quarantining All Traces: specificclick.com cookie
7:28 PM: Quarantining All Traces: spywarestormer cookie
7:28 PM: Quarantining All Traces: starware.com cookie
7:28 PM: Quarantining All Traces: statstracking cookie
7:28 PM: Quarantining All Traces: stlyrics cookie
7:28 PM: Quarantining All Traces: thecoolbar cookie
7:28 PM: Quarantining All Traces: tickle cookie
7:28 PM: Quarantining All Traces: top-banners cookie
7:28 PM: Quarantining All Traces: toprebates.com cookie
7:28 PM: Quarantining All Traces: topseeker cookie
7:28 PM: Quarantining All Traces: touchclarity cookie
7:28 PM: Quarantining All Traces: tradedoubler cookie
7:28 PM: Quarantining All Traces: trafficmp cookie
7:28 PM: Quarantining All Traces: urllogic cookie
7:28 PM: Quarantining All Traces: videodome cookie
7:28 PM: Quarantining All Traces: websponsors cookie
7:28 PM: Quarantining All Traces: webtrendslive cookie
7:28 PM: Quarantining All Traces: winantiviruspro cookie
7:28 PM: Quarantining All Traces: wizzle cookie
7:28 PM: Quarantining All Traces: xzoomy cookie
7:28 PM: Quarantining All Traces: yieldmanager cookie
7:29 PM: Removal process completed. Elapsed time 00:01:42
********
7:13 PM: | Start of Session, Thursday, November 10, 2005 |
7:13 PM: Spy Sweeper started
7:13 PM: Your spyware definitions have been updated.
7:13 PM: | End of Session, Thursday, November 10, 2005 |

Logfile of HijackThis v1.99.1
Scan saved at 7:34:07 PM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\AOL\1131425274\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1131425274\ee\AOLServiceHost.exe
c:\program files\common files\aol\1131425274\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131425274\ee\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Owner\Desktop\Fixs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoo...n.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131425274\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://hoylegames.si...cherControl.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: BrSplService (Brother XP spl Service) - Unknown owner - C:\WINDOWS\system32\brsvc01a.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10 Micah_6:8

Evilware Emancipator

Authentic Member
10,060 posts

Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 10 November 2005 - 06:44 PM

Looks good!!! :thumbup:

GOD bless you!!!

M68

Items you may wish to consider to harden your defenses against future infections:

Read "How did I get infected in the first place?"

Download/install IE-Spyad

IE-Spyad puts over 4000 known malicious web sites into IE's "restricted zone" to help prevent you from getting infected.

Check your browser settings at Qualsys.com

A series of "tests" (and suggested fixes) to help tweak IE's settings to help prevent infections when surfing the web.

Follow safe Internet practices:

1. Keep your virus definitions up to date, and scan your system regularly.

2. Don't open email, or download attachments from unrecognized email addresses.

3. Be careful when downloading email attachments, EVEN FROM PEOPLE YOU KNOW! Many virii, worms, and trojans infect a persons system then immeadiately spread themselves to the people in the infected persons addressbook via email attachments.

4. Be careful downloading files from the Internet. Scan all downloaded files with a reliable UP-TO-DATE antivirus program. Scan "zip" files BEFORE unzipping, and scan all unzipped files BEFORE USING THEM.

5. Keep your Windows and IE current with all the latest patches and updates.

#11 Micah_6:8

Evilware Emancipator

Authentic Member
10,060 posts

Interests:Web (Perl, PHP, JavaScript, HTML) programming, CNC programming, Squashing spyware!

Posted 26 November 2005 - 09:33 AM

This topic is now closed.

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.

Body Background

skin color theme