pritam79

49 Posts

2066

July 9th, 2007 22:00

Pop Ups windows

I am having irritating pop ups all the time. Can any one help?

Thanks beforehand. Log is attached below.

-Pritam

Logfile of HijackThis v1.99.1
Scan saved at 6:39:53 PM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\lkcitdl.exe
C:\WINDOWS\System32\lkads.exe
C:\WINDOWS\System32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\niSvcLoc.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\CIC\Sign-it Server\siservice.exe
C:\WINDOWS\System32\svchost.exe
C:\ABAQUS\Documentation\monitor.exe
C:\ABAQUS\Documentation\monitor.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SystemMechanic\SMSystemAnalyzer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\DOBE~1\alg.exe
C:\Documents and Settings\SOLAB\Application Data\S?mantec\j?vaw.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {323B4FDB-816B-F1BA-1A67-828DCD26879C} - C:\WINDOWS\system32\fpxz.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\SystemMechanic\delay.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\SystemMechanic\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\DOBE~1\alg.exe" -vt yazb
O4 - HKCU\..\Run: [Jgohgkqw] "C:\Documents and Settings\SOLAB\Application Data\S?mantec\j?vaw.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14D78FEB-AB3D-45CE-BE5E-73DAB5436DBC} (RdAsmIocCtrl Class) - http://immail.rediff.com/MLing/ActiveX/rdasmioc.cab
O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} (Moonlight MPEG-4 Video Decoder) - http://66.193.180.23/activex/decoder/mpeg4_dec.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://66.193.180.23/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\System32\lkcitdl.exe
O23 - Service: Lookout Classified Ads (LkClassAds) - National Instruments, Inc. - C:\WINDOWS\System32\lkads.exe
O23 - Service: Lookout Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINDOWS\System32\lktsrv.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Sign-it Server (SignIt) - Communication Intelligence Corp. - C:\Program Files\CIC\Sign-it Server\siservice.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - C:\ABAQUS\Documentation\monitor.exe

Responses(32)

Bugbatter

20.5K Posts

July 10th, 2007 02:00

It looks like you have a couple of issues there.

What type of anti-virus protection are you using?

Please download Combofix from here: http://download.bleepingcomputer.com/sUBs/combofix.exe
Or
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
** Take note that the links are case sensitive

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new HijackThis log.

Note:
Do not mouseclick Combofix's window while it is running. That may cause your system to stall/hang.
Do not proceed with the rest of the fix if you fail to run combofix.

pritam79

49 Posts

July 13th, 2007 02:00

Hijackthis log:

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:48:43 PM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\lkcitdl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\lkads.exe
C:\WINDOWS\System32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\niSvcLoc.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\CIC\Sign-it Server\siservice.exe
C:\WINDOWS\System32\svchost.exe
C:\ABAQUS\Documentation\monitor.exe
C:\ABAQUS\Documentation\monitor.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\retadpu77.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\WinAntiSpyware 2007\was7.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SystemMechanic\SMSystemAnalyzer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\SSTEM~1\lsass.exe
C:\WINDOWS\?ppPatch\n?lookup.exe
C:\Documents and Settings\SOLAB\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\SOLAB\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\retadpu77.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\SystemMechanic\delay.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\SystemMechanic\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Jgohgkqw] "C:\Documents and Settings\SOLAB\Application Data\S?mantec\j?vaw.exe"
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\SSTEM~1\lsass.exe" -vt yazb
O4 - HKCU\..\Run: [Lbrqu] C:\WINDOWS\?ppPatch\n?lookup.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\SOLAB\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\SOLAB\Application Data\Microsoft\Windows\rayiou.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14D78FEB-AB3D-45CE-BE5E-73DAB5436DBC} (RdAsmIocCtrl Class) - http://immail.rediff.com/MLing/ActiveX/rdasmioc.cab
O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} (Moonlight MPEG-4 Video Decoder) - http://66.193.180.23/activex/decoder/mpeg4_dec.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://66.193.180.23/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\System32\lkcitdl.exe
O23 - Service: Lookout Classified Ads (LkClassAds) - National Instruments, Inc. - C:\WINDOWS\System32\lkads.exe
O23 - Service: Lookout Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINDOWS\System32\lktsrv.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Sign-it Server (SignIt) - Communication Intelligence Corp. - C:\Program Files\CIC\Sign-it Server\siservice.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - C:\ABAQUS\Documentation\monitor.exe

pritam79

49 Posts

July 13th, 2007 02:00

Hi bugbatter,

I am having the problem of continuous WinAntiSpyware Alert Popup window popping up with a orange icon on the bottom right tool bar. I am attaching the combofix log as you had suggested. I am also seperately attaching you the hijackthis log. Please note that there is one day differnece between when the logs were created.

Thanks for all your help,

"SOLAB" - 2007-07-10 23:04:19 - ComboFix 07-07-10.1 - Service Pack 2

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\efccbbx.dll
C:\WINDOWS\system32\hgged.dll
C:\WINDOWS\system32\upqmmvnd.dll
C:\WINDOWS\system32\eoeicyxa.exe
C:\WINDOWS\system32\lipcnfcd.exe
C:\WINDOWS\system32\wvutttu.dll
C:\WINDOWS\SYSTEM32\qpsru.bak1
C:\WINDOWS\SYSTEM32\qpsru.bak2
C:\WINDOWS\SYSTEM32\qpsru.ini
C:\WINDOWS\SYSTEM32\deggh.ini
C:\WINDOWS\SYSTEM32\dnvmmqpu.ini
C:\WINDOWS\system32\urspq.dll
C:\WINDOWS\system32\hggdaaa.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\SOLAB\APPLIC~1.\macromedia\Flash Player\#SharedObjects\J9L9CFBW\www.broadcaster.com
C:\DOCUME~1\SOLAB\APPLIC~1.\macromedia\Flash Player\#SharedObjects\J9L9CFBW\www.broadcaster.com\played_list.sol
C:\DOCUME~1\SOLAB\APPLIC~1.\macromedia\Flash Player\#SharedObjects\J9L9CFBW\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\SOLAB\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\SOLAB\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\SOLAB\APPLIC~1.\smante~1
C:\DOCUME~1\SOLAB\APPLIC~1.\smante~1\j?vaw.exe
C:\DOCUME~1\SOLAB\MYDOCU~1.\sks~1
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\dobe~1
C:\Program Files\dobe~1\alg.exe
C:\Program Files\inetget2
C:\Program Files\inetget2\install.exe
C:\Program Files\MSN Gaming Zone\mevo83122.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\Outerinfo.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\OuterinfoUpdate.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Windows NT\quhabe.dll
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\jnrxl.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnstsitr.exe
C:\WINDOWS\U09MQUI\asappsrv.dll
C:\WINDOWS\U09MQUI\command.exe
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\Network Monitor
-------\nm

((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))

2007-07-10 23:25 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-10 23:18 32,177 ---hs---- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
2007-07-10 23:13 687,592 --a------ C:\WINDOWS\SYSTEM32\atmtd.dll
2007-07-10 23:13 1,989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2007-07-10 23:13 d--hs---- C:\WINDOWS\U09MQUI
2007-07-10 23:13 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-07-10 23:01 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 22:57 66,624 --a------ C:\WINDOWS\SYSTEM32\qpsfcnqn.dll
2007-07-10 22:55 135,168 --a------ C:\WINDOWS\tk58.exe
2007-07-09 22:35 d-------- C:\WINDOWS\SYSTEM32\X9
2007-07-09 22:35 d-------- C:\WINDOWS\SYSTEM32\X4
2007-07-09 22:35 d-------- C:\WINDOWS\SYSTEM32\X3
2007-07-09 22:35 d-------- C:\WINDOWS\SYSTEM32\X2
2007-07-08 20:00 d-------- C:\WINDOWS\E31C348B63A94CBF8D7FD932ABB63244.TMP
2007-07-08 19:58 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-08 19:57 d-------- C:\Program Files\Common Files\Wise Installation Wizard

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 04:24:36 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-07-11 04:24:34 -------- d-----w C:\Program Files\Windows NT
2007-07-09 00:58:44 -------- d-----w C:\Program Files\Lavasoft
2007-07-09 00:58:41 -------- d-----w C:\DOCUME~1\SOLAB\APPLIC~1\Lavasoft
2007-07-05 01:46:47 -------- d-----w C:\DOCUME~1\SOLAB\APPLIC~1\U3
2007-06-04 20:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 20:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 20:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-22 03:20:02 -------- d-----w C:\DOCUME~1\SOLAB\APPLIC~1\Skype
2007-05-22 00:55:36 -------- d-----w C:\DOCUME~1\SOLAB\APPLIC~1\Ringjacker
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 22:32:11 -------- d-----w C:\Program Files\SystemMechanic
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 20:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\U09MQUI\oX6gkoK.vbs

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
2007-03-30 13:31 722472 --a------ C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{938A8A03-A938-4019-B764-03FF8D167D79}]
2007-07-10 22:57 66624 --a------ C:\WINDOWS\system32\qpsfcnqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-10-08 12:31]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-10-08 12:24]
"RegistryMechanic"="" []
"ioloDelayModule"="C:\Program Files\SystemMechanic\delay.exe" [2005-06-08 13:31]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 16:38]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-01 11:58]
"@"="" []
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-27 18:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2004-10-08 12:06]
"SMSystemAnalyzer"="C:\Program Files\SystemMechanic\SMSystemAnalyzer.exe" [2006-12-20 17:47]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 04:43]
"Jgohgkqw"="C:\Documents and Settings\SOLAB\Application Data\S?mantec\j?vaw.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Reminder]
"C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Program Files\Corel\Graphics10\Register\NavLoad.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
C:\Program Files\Dell\AccessDirect\dadapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WG511WLU]
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

Contents of the 'Scheduled Tasks' folder
2004-01-09 03:29:17 C:\WINDOWS\tasks\ISP signup reminder 1.job
2007-07-04 21:00:00 C:\WINDOWS\tasks\{0D78C149-97DF-4201-A67A-A0E228DD33B3}_PRITAM_SOLAB.job
2006-11-24 21:00:05 C:\WINDOWS\tasks\{6C3A29DC-CEC0-4A7F-ADF5-1B80932C0DB0}_PRITAM_SOLAB.job
2006-12-19 14:00:09 C:\WINDOWS\tasks\{8B454BFC-EB75-4590-94F9-ACE76CBF05C5}_PRITAM_SOLAB.job
2007-07-04 21:00:00 C:\WINDOWS\tasks\{DDD455D0-EA9C-4C9F-93CD-61CFCE7B6BE7}_PRITAM_SOLAB.job
2006-11-24 21:00:05 C:\WINDOWS\tasks\{E5F01866-5A36-4851-A458-AE3AB5E6EB5D}_PRITAM_SOLAB.job
2006-12-19 14:00:01 C:\WINDOWS\tasks\{F2AC210A-891A-4AB2-B435-BE43535D5252}_PRITAM_SOLAB.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 23:34:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-10 23:37:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-10 23:36

--- E O F ---

Bugbatter

20.5K Posts

July 13th, 2007 10:00

It looks as if you've cleaned some, but added others. Until we have completely cleaned this, it would be good to stay off the internet, other than posting here.

Please delete the outdated copy of HijackThis that you are using. The new version will show us more.
Please download HJT Installer from Here to your desktop.
If not available use this alternate link: Here

Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.
It will be installed by default here: C:\Program Files\Trend Micro\HijackThis.
A shortcut to the application will also be placed on your Desktop.
The program will open automatically after installation.
You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.
The first time you open HijackThis, check the Main Menu button at the bottom center. When the main menu appears check the box "Show this window when I start HijackThis".
Close Hijackthis for now.

Just to be sure it's completely gone, look in your Control Panel's Add/Remove Programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets

Reboot and download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Reboot

Download and scan with SUPERAntiSpyware Free for Home Users
- Double-click SUPERAntiSpyware.exe and use the default settings for installation.
- An icon will be created on your desktop. Double-click that icon to launch the program.
- If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
- Under "Configuration and Preferences", click the Preferences button.
- Click the Scanning Control tab.
- Under Scanner Options make sure the following are checked (leave all others unchecked):
  - Close browsers before scanning.
  - Scan for tracking cookies.
  - Terminate memory threats before quarantining.
- Click the "Close" button to leave the control center screen.
- Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
- On the left, make sure you check C:\Fixed Drive.
- On the right, under "Complete Scan", choose Perform Complete Scan.
- Click "Next" to start the scan. Please be patient while it scans your computer.
- After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
- Make sure everything has a checkmark next to it and click "Next".
- A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
- If asked if you want to reboot, click "Yes".
- Click Close to exit the program.
Launch your new Hijackthis.
Click on " Do a system scan and save logfile." When the log pops up in Notepad, copy and paste that file back here. Before closing HJT, please click on the AnalyzeThis button. "Analyze This" DOES NOT mean "Analyze My Log". You will need to post your log on the forum.
Close the web page that appears and then close the program

Also include your log from Super AmtiSpyware.

To retrieve the removal information launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results along with your fresh Hijackthis log in your next reply.

pritam79

49 Posts

July 14th, 2007 00:00

The WinAntiSpyware Alert Window on the bottom right corner of the sceen is always there no matter what I do and it never goes away.

The new HJTfile with the updated HJT.exe is attached below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:21 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\lkcitdl.exe
C:\WINDOWS\System32\lkads.exe
C:\WINDOWS\System32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\niSvcLoc.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\CIC\Sign-it Server\siservice.exe
C:\WINDOWS\System32\svchost.exe
C:\ABAQUS\Documentation\monitor.exe
C:\ABAQUS\Documentation\monitor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\retadpu77.exe
C:\Program Files\WinAntiSpyware 2007\was7.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SystemMechanic\SMSystemAnalyzer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\SOLAB\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\SOLAB\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\SystemMechanic\delay.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\rywnhkeq.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\SystemMechanic\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Jgohgkqw] "C:\Documents and Settings\SOLAB\Application Data\S?mantec\j?vaw.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\SOLAB\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\SOLAB\Application Data\Microsoft\Windows\rayiou.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14D78FEB-AB3D-45CE-BE5E-73DAB5436DBC} (RdAsmIocCtrl Class) - http://immail.rediff.com/MLing/ActiveX/rdasmioc.cab
O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} (Moonlight MPEG-4 Video Decoder) - http://66.193.180.23/activex/decoder/mpeg4_dec.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photoworks.com/pixami/BPImageEditor.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - http://66.193.180.23/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{1674CD67-BC3D-4BD9-9E99-7F3C9458A77F}: NameServer = 66.193.180.2,66.193.180.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\System32\lkcitdl.exe
O23 - Service: Lookout Classified Ads (LkClassAds) - National Instruments, Inc. - C:\WINDOWS\System32\lkads.exe
O23 - Service: Lookout Time Synchronization (LkTimeSync) - National Instruments, Inc. - C:\WINDOWS\System32\lktsrv.exe
O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\System32\niSvcLoc.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: Sign-it Server (SignIt) - Communication Intelligence Corp. - C:\Program Files\CIC\Sign-it Server\siservice.exe
O23 - Service: Texis Monitor - Expansion Programs International, Inc. - C:\ABAQUS\Documentation\monitor.exe
O24 - Desktop Component 0: Desktop Uninstall - (no file)

--
End of file - 9023 bytes

Bugbatter

20.5K Posts

July 14th, 2007 01:00

Please print these instructions so you can refer to them easily. You will be working in Safemode without networking for part of this fix, so you will not have this page available. In addition, these instructions must be followed in the sequence I have given you. Running steps out of sequence may prevent our fix from working.

Please download the latest version of VundoFix.exe to your desktop. (If you have an earlier version, delete it and its old log here: C:\ vundofix.txt.)

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will shutdown your computer,
click OK.
Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. ** If you get a warning about updating Java, do not do so until I can give you further instructions.

Please run another scan with ComboFix using the same instructions as you did the other day. Just follow the prompts.
Do not mouseclick Combofix's window while it is running. That may cause your system to stall/hang.
Do not proceed with the rest of the fix if you fail to run combofix.

Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Configure to show all files/folders:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Launch Hijackthis and place a checkmark next to these if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\rywnhkeq.dll",forkonce
O4 - HKCU\..\Run: [Jgohgkqw] "C:\Documents and Settings\SOLAB\Application Data\S?mantec\j?vaw.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\SOLAB\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\SOLAB\Application Data\Microsoft\Windows\rayiou.exe

Delete the following specified files if they still exist:
C:\WINDOWS\ poolsv.exe
C:\WINDOWS\ svhost.exe
C:\WINDOWS\ retadpu77.exe
C:\WINDOWS\system32\ rywnhkeq.dll
C:\Documents and Settings\SOLAB\Application Data\Microsoft\Windows\ rayiou.exe

Please delete these folders:
C:\Program Files\ WinAntiSpyware 2007
C:\Documents and Settings\SOLAB\Application Data\ WinTouch

This folder: S?mantec shown here: C:\Documents and Settings\SOLAB\Application Data\ S?mantec is missing some text, so you will have to look for the one containing this file (also missing some text): j?vaw.exe Delete the S?mantec folder.

Reboot normally.

Go back and rehide files.
Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Check: Hide protected operating system files
Click on Apply.

Unless I missed it, I do not see a resident anti-virus running. If you are without anti-virus protection, please install AVG Free Version.
http://free.grisoft.com/freeweb.php/doc/2/

Before installing it, however, be sure that the remnants of all prior anti-virus software have been removed. If you need support for the installation of AVG, their forum is located here: http://forum.grisoft.cz/freeforum/

In your next reply please post:
1. The log from Super AntiSpyware that you forgot to include in your last reply.
2. The contents of C:\ vundofix.txt
3. The NEW log from ComboFix
4. A fresh HijackThis log.

If the forum software will not take all the text in your four logs, just use several posts and keep replying to yourself until all the logs are posted.
Please let me know how many users are on that computer.

pritam79

49 Posts

July 14th, 2007 17:00

Dear Bugbatter,

I completed the following just now. The bottom right screen seems to be gone so far. Please let me know what you think. Logs are also attached.

Followed instructions for VundoFix.exe. After rebooting, VundoFix didn't run of its own. Also, the WinAntiSpyware Alert on the right bottom screen was still there.
Followed instructions for Combofix. Upon self reboot, I got a Windows Security Alert asking me "Do you want to keep blocking this program? Name: Connection Manager". I selected the "Keep Blocking" button.
Ran Hijackthis in safe mode and checkmarked and deleted if there were any files as you had suggested in the hijackthis log file.
You had mentioned: "This folder:S?mantec shown here: C:\Documents and Settings\SOLAB\ Application Data\S?mantec is missing some text, so you will have to look for the one containing this file (also missing some text): j?vaw.exe Delete the S?mantec folder".

I did not see the S?mantec file in the defined path.

5. Upon rebooting I again got the Windows Security Alert asking me "Do you want to keep blocking this program? Name: Connection Manager". I selected the "Keep Blocking" button.

6. I installed SUPERAntiSpyware and run it. It found several files that needed to be quarantined.

Superantispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/14/2007 at 01:37 PM

Application Version : 3.9.1008

Core Rules Database Version : 3269
Trace Rules Database Version: 1280

Scan type : Complete Scan
Total Scan Time : 00:54:57

Memory items scanned      : 377
Memory threats detected   : 1
Registry items scanned    : 7800
Registry threats detected : 77
File items scanned        : 51910
File threats detected     : 203

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\PXPRFHMT.DLL
C:\WINDOWS\SYSTEM32\PXPRFHMT.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{2C6CB837-4F83-4888-8594-25F7B18D508B}
HKCR\CLSID\{2C6CB837-4F83-4888-8594-25F7B18D508B}
HKCR\CLSID\{2C6CB837-4F83-4888-8594-25F7B18D508B}\InprocServer32
HKCR\CLSID\{2C6CB837-4F83-4888-8594-25F7B18D508B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\URQPP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C6CB837-4F83-4888-8594-25F7B18D508B}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}#AppID
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}\InprocServer32
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}\InprocServer32#ThreadingModel
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}\ProgID
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}\Programmable
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}\TypeLib
HKCR\CLSID\{4567AB12-B980-44A5-B259-9B09EBEA6331}\VersionIndependentProgID
C:\PROGRAM FILES\WINANTISPYWARE 2007\SHELLEXT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{4567AB12-B980-44A5-B259-9B09EBEA6331}
HKCR\washellext.ShellHook.1
HKCR\washellext.ShellHook.1\CLSID
HKCR\washellext.ShellHook
HKCR\washellext.ShellHook\CLSID
HKCR\washellext.ShellHook\CurVer
HKCR\TypeLib\{4567AB12-7DFC-4C46-BD8F-41259D169A0D}
HKCR\TypeLib\{4567AB12-7DFC-4C46-BD8F-41259D169A0D}\1.0
HKCR\TypeLib\{4567AB12-7DFC-4C46-BD8F-41259D169A0D}\1.0\0
HKCR\TypeLib\{4567AB12-7DFC-4C46-BD8F-41259D169A0D}\1.0\0\win32
HKCR\TypeLib\{4567AB12-7DFC-4C46-BD8F-41259D169A0D}\1.0\FLAGS
HKCR\TypeLib\{4567AB12-7DFC-4C46-BD8F-41259D169A0D}\1.0\HELPDIR

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{938A8A03-A938-4019-B764-03FF8D167D79}
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\MEVO83122.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\U09MQUI\COMMAND.EXE.VIR

Adware.Viewpoint Toolbar
HKLM\Software\Classes\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32#ThreadingModel
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\ProgID
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\Programmable
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\TypeLib
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\VersionIndependentProgID
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL

Adware.Tracking Cookie
C:\Documents and Settings\SOLAB\Cookies\solab@tacoda[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@cpvfeed[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adultadworld[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@media.fastclick[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.realtechnetwork[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@thunderbolt.adjuggler[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@questionmarket[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.adgoto[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@goclick[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@banners.searchingbooth[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@winantivirus[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.traderonline[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@entrepreneur[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@precisionclick[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adopt.euroclick[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adbrite[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@stats.drivecleaner[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@hitbox[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@imrworldwide[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adopt.specificclick[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@linksynergy[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@pro-market[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@exitexchange[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adrevolver[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@drivecleaner[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@clicksor[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.drivecleaner[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@findwhat[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@qksrv[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.cnn[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@revsci[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@winantispyware[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@drivecleaner[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@apmebf[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@interclick[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.burstnet[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@azjmp[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.adtrak[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@rotator.dex.adjuggler[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@buycom.122.2o7[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@burstnet[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@partner2profit[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@reduxads.valuead[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ad2.adnetinteractive[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@go.winantispyware[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adecn[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@casalemedia[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@mediaplex[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@publishers.clickbooth[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.winantiviruspro[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@doubleclick[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@fastclick[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@go.winantispyware[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@advertising[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@go.winantivirus[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.kaktuz[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.xctrk[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@lynxtrack[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@counter12.sextracker[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@4.adbrite[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.revsci[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@rockcoastmedia.112.2o7[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ad.outerinfo[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ad.iconadserver[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@perf.overture[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@sextracker[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adsrevenue[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@atdmt[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ad.yieldmanager[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@stats1.reliablestats[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@enhance[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.pointroll[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@humornsex[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.burstbeacon[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@bluestreak[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@mediatraffic[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.k8l[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.drivecleaner[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@count2.exitexchange[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@dailynewmedia[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@pch.122.2o7[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adbrite[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@media.adrevolver[3].txt
C:\Documents and Settings\SOLAB\Cookies\solab@zedo[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.adbrite[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ehg-moneymanagement.hitbox[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@tribalfusion[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@go.winantivirus[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@humornsex[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@anad.tacoda[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@specificclick[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.amaena[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@trafficmp[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@audit.median[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ehg-zoom.hitbox[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@statcounter[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@toseeka[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@tradedoubler[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ehg-traderelectronicmedia.hitbox[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@realmedia[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@redorbit[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.addynamix[1].txt
C:\Documents and Settings\LocalService\Cookies\system@enhance[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ad.outerinfo[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ad.yieldmanager[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ad1.clickhype[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adbrite[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.adbrite[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.adgoto[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@ads.cnn[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adultadworld[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@adultfriendfinder[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@azjmp[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@cpvfeed[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@doubleclick[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@media.adrevolver[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@toseeka[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.dailynewmedia[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.dailynewmedia[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.googleadservices[1].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.googleadservices[2].txt
C:\Documents and Settings\SOLAB\Cookies\solab@www.xctrk[2].txt

2nd part is continued in the following post

pritam79

49 Posts

July 14th, 2007 17:00

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}#AppID
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}\LocalServer32
HKCR\CLSID\{_CLSID_WAShellExecuteCheck}\Programmable
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0\0
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0\0\win32
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0\FLAGS
HKCR\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}\1.0\HELPDIR
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}\ProxyStubClsid
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}\ProxyStubClsid32
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}\TypeLib
HKCR\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}\TypeLib#Version
HKLM\SYSTEM\CurrentControlSet\Services\FOPN
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Type
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Start
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Tag
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Group
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Overflow
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\blocked
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME2\QOOBOX\QUARANTINE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME2\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME2\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\SOLAB
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Security
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#NextInstance

Adware.ClickSpring/Outer Info Network
C:\DOCUMENTS AND SETTINGS\SOLAB\DESKTOP\OIUNINSTALLER.EXE
C:\WINDOWS\Prefetch\OIUNINSTALLER.EXE-22DF5EEB.pf

Adware.ClickSpring
C:\QooBox\Quarantine\C\DOCUME~1\SOLAB\APPLIC~1\SMANTE~1\JVAWEX~1.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095317.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095338.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP827\A0095537.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1549OINUNINSTALLER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1552OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\POOLSV\YAZZLEBUNDLE-1549.EXE.VIR
C:\WINDOWS\PREFETCH\YAZZLE1122OINADMIN.EXE-0F198A06.PF
C:\WINDOWS\PREFETCH\YAZZLE1122OINUNINSTALLER.EXE-349B5FA4.PF
C:\WINDOWS\PREFETCH\YAZZLE1549OINADMIN.EXE-0C086C08.PF
C:\WINDOWS\PREFETCH\YAZZLEBUNDLE-1549.EXE-07517F69.PF

Adware.ClickSpring-Variant
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\DOBE~1\ALG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\OUTERINFO\OUTERINFOUPDATE.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095339.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095345.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP827\A0095536.EXE

Trojan.NetMon/DNSChange
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE.VIR

Trojan.Downloader-ClickSpring/NDrv
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\OUTERINFO\OUTERINFO.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095342.DLL

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\POOLSV\WINANTISPYWARE2007FREEINSTALL.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0095575.EXE

Trojan.ZQuest
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWS NT\QUHABE.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095336.DLL

Trojan.Downloader-Gen/WinPop
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINPOP\WINPOP.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095347.EXE

Trojan.Downloader-Gen/Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\B122.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095350.EXE
C:\WINDOWS\B104.EXE

Trojan.Downloader-Gen/RetAd
C:\QOOBOX\QUARANTINE\C\WINDOWS\RETADPU1000106.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\RETADPU2000219.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\RETADPU77.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP824\A0095299.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095326.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095332.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095333.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0095570.EXE

Adware.Vundo/Traff-2
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BQUYHIPN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EOEICYXA.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0095597.EXE

Trojan.Downloader-Gen/Blah
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EFCCBBX.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095351.DLL

Trojan.Downloader-Gen/HitItQuitIt
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HGGDAAA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WVUTTTU.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095353.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095358.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0095599.DLL

Trojan.Downloader-Gen/TStamp
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IEPIFGIM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LIPCNFCD.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0095598.EXE

Adware.ClickSpring/Resident
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JNRXL.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095320.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095337.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP827\A0095542.DLL

Trojan.Downloader-Gen/BundleBase
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\O02PREZ\O02PREZ1065.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095348.EXE

Trojan.Downloader-Stera/WinSoftware
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\STERA.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0095596.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSTSITR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095318.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP825\A0095335.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP827\A0095538.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP828\A0095569.VBS
C:\WINDOWS\U09MQUI\OX6GKOK.VBS

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\U09MQUI\ASAPPSRV.DLL.VIR

Adware.SideStep Toolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP827\A0095525.DLL

Trojan.Rootkit-TnCore/Installer
C:\WINDOWS\SYSTEM32\X4\WEN22.EXE

Trojan.ZQuest-Installer
C:\WINDOWS\TK58.EXE

pritam79

49 Posts

July 14th, 2007 18:00

C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\8a1bc3035b894ee89f48cea4\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\8a1bc3035b894ee89f48cea4\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\8a44f6c27fda48bf198eb689\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\8a44f6c27fda48bf198eb689\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\8a44f6c27fda48bf198eb689\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\8e34b6ceea444a4654a096af\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\8e34b6ceea444a4654a096af\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\8e34b6ceea444a4654a096af\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\9183f5f239a54108dea0998b\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\9183f5f239a54108dea0998b\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\9183f5f239a54108dea0998b\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\9ff4a5a3ef594488774441a0\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\9ff4a5a3ef594488774441a0\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\9ff4a5a3ef594488774441a0\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a6161af1808746816780b4ae\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a6161af1808746816780b4ae\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a6161af1808746816780b4ae\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a6161af1808746816780b4ae\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a7f2fbe62b604951f2b732ae\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a7f2fbe62b604951f2b732ae\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a7f2fbe62b604951f2b732ae\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a7f2fbe62b604951f2b732ae\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a93066a16b504a6eefc0cea5\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a93066a16b504a6eefc0cea5\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a93066a16b504a6eefc0cea5\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a9c0bbe345dd4af5a8197cb0\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a9c0bbe345dd4af5a8197cb0\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\a9c0bbe345dd4af5a8197cb0\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\b911f8633cf442884bb61dbb\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\b911f8633cf442884bb61dbb\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\b911f8633cf442884bb61dbb\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\b96249b99af24ac1261a2e97\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\b96249b99af24ac1261a2e97\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\b96249b99af24ac1261a2e97\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\b96249b99af24ac1261a2e97\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\bb53bba6ccc5462a0d81ff9e\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\bb53bba6ccc5462a0d81ff9e\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\bb53bba6ccc5462a0d81ff9e\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\bb53bba6ccc5462a0d81ff9e\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\bc12d4b7843e4cf953b40aa4\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\bc12d4b7843e4cf953b40aa4\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\bc12d4b7843e4cf953b40aa4\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\c6ba0666715d4e409004feba\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\c6ba0666715d4e409004feba\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\c6ba0666715d4e409004feba\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\c9d0eeeb9f9c4cb5501fd2b3\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\c9d0eeeb9f9c4cb5501fd2b3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\c9d0eeeb9f9c4cb5501fd2b3\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\c9d0eeeb9f9c4cb5501fd2b3\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d1053d627a2c404ba2c74c82\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d1053d627a2c404ba2c74c82\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d1053d627a2c404ba2c74c82\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d3d2e877b7be400284d020a9\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d3d2e877b7be400284d020a9\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d3d2e877b7be400284d020a9\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d49c00a4949048b9d743eb86\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d49c00a4949048b9d743eb86\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d49c00a4949048b9d743eb86\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\d49c00a4949048b9d743eb86\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\dbbd8f6027c64c77ada38581\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\dbbd8f6027c64c77ada38581\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\dbbd8f6027c64c77ada38581\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\df2385514efc4ae491a5c2a2\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\df2385514efc4ae491a5c2a2\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\df2385514efc4ae491a5c2a2\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\df2385514efc4ae491a5c2a2\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\df29201123734020c102aab6\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\df29201123734020c102aab6\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\df29201123734020c102aab6\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\df29201123734020c102aab6\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e38e1b12d5de4b179f6d2384\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e38e1b12d5de4b179f6d2384\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e38e1b12d5de4b179f6d2384\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e38e1b12d5de4b179f6d2384\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e651221c00724020038770a3\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e651221c00724020038770a3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e651221c00724020038770a3\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e651221c00724020038770a3\SOLAB
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e65cf584dbb449a50cc48987\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e65cf584dbb449a50cc48987\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e65cf584dbb449a50cc48987\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e7102455b76a45e8cb10f8ab\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e7102455b76a45e8cb10f8ab\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\e7102455b76a45e8cb10f8ab\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\ec9b9ac7fece4238a9c10f9c\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\ec9b9ac7fece4238a9c10f9c\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\ec9b9ac7fece4238a9c10f9c\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\f4832e3b35244bc2b5097592\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\f4832e3b35244bc2b5097592\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\f4832e3b35244bc2b5097592\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fa74c920c15e4e25709ebf8d\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fa74c920c15e4e25709ebf8d\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fa74c920c15e4e25709ebf8d\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fbe6dbe87bba4690f0112f9f\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fbe6dbe87bba4690f0112f9f\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fbe6dbe87bba4690f0112f9f\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fe4974440fb441269a2250a5\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fe4974440fb441269a2250a5\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\c7ef9207da1a4a426429b29f\23a0eb3f2ef34cb077593589\fe4974440fb441269a2250a5\#name

pritam79

49 Posts

July 14th, 2007 18:00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4567AB12-B980-44A5-B259-9B09EBEA6331}"="C:\Program Files\WinAntiSpyware 2007\shellext.dll" []