Problems with Spyware, Malware and Viruses on Dell Laptop

John Lane · #1 (**permalink**) 28-03-2009, 09:12 PM

I am trying to get my mother in laws laptop up and running good again. They were not running anti-virus or spywar edetection problems and the machine is very slow now. The laptop is a Dell Insprion 1100. I can get it one the internet and go to regular websites but the minite a try to go to any page that trys to let you enter a passwaord and user name Internet Explorer puts up the white screen telling me I have a connection problem with the internet.

I have run a full scan using AVG anti vrus and Spybot. They pick up Drive Cleaner and EGDAccess as well as a several other issues. Also each time I start the machine I get a warning that EGDAccess_1058.dll can't be loaded,

Here are the log files I have so far from the scans from AVG, Spybot and Hijackthis:

For AVG Anti-virus:

Scan "Scan whole computer" was finished.
Infections;"3";"3";"0"
Spyware;"13";"13";"0"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"Thursday, March 26, 2009, 11:41:40 PM"
Scan finished:;"Friday, March 27, 2009, 1:17:13 AM (1 hour(s) 35 minute(s) 32 second(s))"
Total object scanned:;"222082"
User who launched the scan:;"Yolanda"

Infections
File;"Infection";"Result"
C:\Program Files\DriveCleaner Freeware\InstHelp.exe;"Trojan horse Downloader.Generic_r.Q";"Moved to Virus Vault"
C:\WINDOWS\SYSTEM32\msclock32.dll;"Trojan horse Adload_r.GP";"Moved to Virus Vault"
C:\WINDOWS\SYSTEM32\msplock32.dll;"Trojan horse Adload_r.GP";"Moved to Virus Vault"

Spyware
File;"Infection";"Result"
C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe;"Potentially harmful program WinFixer.SC";"Moved to Virus Vault"
C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe;"Potentially harmful program WinFixer.SC";"Moved to Virus Vault"
C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe (1484);"Potentially harmful program WinFixer.SC";"Reboot is required to finish the action"
C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe;"Potentially harmful program WinFixer.AKN";"Moved to Virus Vault"
C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe;"Potentially harmful program WinFixer.AKN";"Moved to Virus Vault"
C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe (1356);"Potentially harmful program WinFixer.AKN";"Reboot is required to finish the action"
C:\WINDOWS\eg_auth_1047.dll;"Potentially harmful program Dialer.LO";"Moved to Virus Vault"
C:\WINDOWS\p2esocks_1047.dll;"Potentially harmful program Dialer.LO";"Moved to Virus Vault"
C:\WINDOWS\SYSTEM32\eg_auth_srv_1047.dll;"Potentia lly harmful program Dialer.LO";"Moved to Virus Vault"
C:\WINDOWS\SYSTEM32\EGACCESS.dll;"Potentially harmful program Dialer.BSL";"Moved to Virus Vault"
C:\WINDOWS\SYSTEM32\egaccess4_1061.dll;"Potentiall y harmful program Dialer.BSL";"Moved to Virus Vault"
C:\WINDOWS\SYSTEM32\EGDACCESS.dll;"Potentially harmful program Dialer.AUW";"Moved to Virus Vault"
C:\WINDOWS\SYSTEM32\sysinetsvc32.dll;"Potentially harmful program Dialer.DX";"Moved to Virus Vault"

Warnings
File;"Infection";"Result"
C:\Documents and Settings\Yolanda\Cookies\yolanda@ad.yieldmanager[2].txt;"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606;"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0;"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@adopt.euroclick[1].txt;"Found Tracking cookie.Euroclick";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@adopt.euroclick[1].txt:\adopt.euroclick.com.891542da;"Found Tracking cookie.Euroclick";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@adopt.euroclick[1].txt:\adopt.euroclick.com.fb764ef7;"Found Tracking cookie.Euroclick";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@adopt.euroclick[1].txt:\adopt.euroclick.com.ffe11db7;"Found Tracking cookie.Euroclick";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@adrevolver[1].txt;"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@adrevolver[1].txt:\adrevolver.com.61b5dd52;"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@adrevolver[1].txt:\adrevolver.com.9b9d670a;"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@adrevolver[1].txt:\adrevolver.com.f6cfcad4;"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@atdmt[1].txt;"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@atdmt[1].txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@burstnet[2].txt;"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@burstnet[2].txt:\burstnet.com.a3218a37;"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@burstnet[2].txt:\burstnet.com.c4fe2ebb;"Found Tracking cookie.Burstnet";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@hypertracker[1].txt;"Found Tracking cookie.Hypertracker";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@hypertracker[1].txt:\hypertracker.com.7c8fd7e2;"Found Tracking cookie.Hypertracker";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@overture[2].txt;"Found Tracking cookie.Overture";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@m.webtrends[1].txt;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@m.webtrends[1].txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@media.adrevolver[1].txt;"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@media.adrevolver[1].txt:\media.adrevolver.com.5fed601d;"Found Tracking cookie.Adrevolver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@msnportal.112.2o7[1].txt;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@overture[2].txt:\overture.com.52ca467a;"Found Tracking cookie.Overture";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@overture[2].txt:\overture.com.d727de6f;"Found Tracking cookie.Overture";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@questionmarket[2].txt;"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@questionmarket[2].txt:\questionmarket.com.3eb5a9f1;"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@questionmarket[2].txt:\questionmarket.com.4dd5e426;"Found Tracking cookie.Questionmarket";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@realmedia[1].txt;"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@realmedia[1].txt:\realmedia.com.68087763;"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@revsci[1].txt;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@revsci[1].txt:\revsci.net.2df99d79;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@revsci[1].txt:\revsci.net.44927ec;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@revsci[1].txt:\revsci.net.50e13b1b;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@revsci[1].txt:\revsci.net.55564293;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@revsci[1].txt:\revsci.net.e9dbeb91;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@smartadserver[1].txt;"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@smartadserver[1].txt:\smartadserver.com.321a5cf8;"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@smartadserver[1].txt:\smartadserver.com.c5827141;"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@smartadserver[1].txt:\smartadserver.com.5550c4ed;"Found Tracking cookie.Smartadserver";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tacoda[1].txt;"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tacoda[1].txt:\tacoda.net.27341d57;"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tacoda[1].txt:\tacoda.net.4366831a;"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tacoda[1].txt:\tacoda.net.5935e89;"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tacoda[1].txt:\tacoda.net.c4fe2ebb;"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tacoda[1].txt:\tacoda.net.ed9c50d1;"Found Tracking cookie.Tacoda";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tribalfusion[1].txt;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tribalfusion[1].txt:\tribalfusion.com.5eef93d0;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tribalfusion[1].txt:\tribalfusion.com.7610f0e0;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tribalfusion[1].txt:\tribalfusion.com.8b22ad8c;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tribalfusion[1].txt:\tribalfusion.com.9bc3e98f;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Yolanda\Cookies\yolanda@tribalfusion[1].txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\Salestart;"Found registry key with reference to infected file C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe";"Moved to Virus Vault"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\UDC6_cw;"Found registry key with reference to infected file C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe";"Moved to Virus Vault"

For Sypbot:

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-27 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi
2009-03-25 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-03-25 Includes\Dialer.sbi
2009-03-25 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-02-10 Includes\Hijackers.sbi
2009-03-03 Includes\HijackersC.sbi
2009-03-17 Includes\Keyloggers.sbi
2009-03-17 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-03-25 Includes\Malware.sbi
2009-03-25 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-03-25 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-03-23 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-01-28 Includes\Spyware.sbi
2009-01-28 Includes\SpywareC.sbi
2009-03-25 Includes\Tracks.uti
2009-03-25 Includes\Trojans.sbi
2009-03-25 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Security Update for Microsoft Data Access Components
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB867282
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows Media Player 9 / SP0: Windows Media Player 9 Hotfix [See KB885492 for more information]
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127-v2)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Security Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Security Update for Windows XP (KB941693)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB945553)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ Windows XP / SP3: Security Update for Windows XP (KB948590)
/ Windows XP / SP3: Security Update for Windows XP (KB948881)
/ Windows XP / SP3: Security Update for Windows XP (KB950749)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)

--- Startup entries list ---
Located: HK_LM:Run, AdaptecDirectCD
command: "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
file: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
size: 684032
MD5: BE3238A165AFB321F1696CC1FF9EF271

Located: HK_LM:Run, Adobe Photo Downloader
command: "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
file: C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
size: 63712
MD5: FC9E59FE8BC4FE05382CFF5C8FC59DE1

Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 40048
MD5: 66D4456C920E21BD2188F8CC33680DF5

Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1932568
MD5: CB0BC853D84A61457AA9DB16C46DA07E

Located: HK_LM:Run, DadApp
command: C:\Program Files\Dell\AccessDirect\dadapp.exe
file: C:\Program Files\Dell\AccessDirect\dadapp.exe
size: 208560
MD5: 8D986354AF1F003D1FF8AFFD3FA0118F

Located: HK_LM:Run, Dell QuickSet
command: C:\Program Files\Dell\QuickSet\quickset.exe
file: C:\Program Files\Dell\QuickSet\quickset.exe
size: 368640
MD5: 4E5E14F25545241B90D70B0035F18020

Located: HK_LM:Run, DriveCleaner Freeware
command: "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
file: C:\Program Files\DriveCleaner Freeware\UDC.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 126976
MD5: E4CF942A4AEA9D27C87F190F65E7D0F6

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 155648
MD5: 093D3EE722542BA2E7AD929AA3CA6ABC

Located: HK_LM:Run, MMTray
command: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
file: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 90112
MD5: CBBF60E054A7840C61513565377A8558

Located: HK_LM:Run, PCTVOICE
command: pctspk.exe
file: C:\WINDOWS\system32\pctspk.exe
size: 163840
MD5: 7BBED6A0BF998158E44CF9667C5D5860

Located: HK_LM:Run, RepliGo Assistant
command: "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
file: C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
size: 172032
MD5: B52553F69640B097F6D249B90E15FB79

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 610304
MD5: 634DC62870B9E0C6C6AE25A75AC9895A

Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 110592
MD5: B437E814DC6AA842C482F64D9D2AFA1C

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 151597
MD5: A05DA809AC0D86D916D09E3A908D3A06

Located: HK_LM:Run, ycouweo
command: "c:\windows\system32\ycouweo.exe" ycouweo
file: c:\windows\system32\ycouweo.exe
size: 270336
MD5: 428AF2087BF7453FCF5650B32CC830BD

Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: C:\WINDOWS\System32\CTFMON.EXE
file: C:\WINDOWS\System32\CTFMON.EXE
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, AROReminder
where: S-1-5-21-1104692837-1536990777-633625141-1007...
command: C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
file: C:\Program Files\Advanced Registry Optimizer\aro.exe
size: 2084480
MD5: DB42EF9D743F7872C5BDA4A192F00B3F

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1104692837-1536990777-633625141-1007...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, DellSupport
where: S-1-5-21-1104692837-1536990777-633625141-1007...
command: "C:\Program Files\DellSupport\DSAgnt.exe" /startup
file: C:\Program Files\DellSupport\DSAgnt.exe
size: 460784
MD5: B75FDBF14073D72C50624CC8338DD534

Located: HK_CU:Run, Instant Access
where: S-1-5-21-1104692837-1536990777-633625141-1007...
command: rundll32.exe EGDACCESS_1058.dll,InstantAccess
file: EGDACCESS_1058.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, MsnMsgr
where: S-1-5-21-1104692837-1536990777-633625141-1007...
command: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\MSN Messenger\MsnMsgr.Exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1104692837-1536990777-633625141-1007...
command: C:\Program Files\Spybot - Search & Destroy 1.62\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy 1.62\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: C:\WINDOWS\System32\CTFMON.EXE
file: C:\WINDOWS\System32\CTFMON.EXE
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: Startup (common), DataViz Inc Messenger.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
file: C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
size: 24576
MD5: 9CC0EE9CC93CD89427092FBFFD1BFF46

Located: Startup (common), Microsoft Office.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5BC65464354A9FD3BEAA28E18839734A

Located: Startup (common), WinZip Quick Pick.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\WinZip\WZQKPICK.EXE
file: C:\Program Files\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67B2E7B6AE3B400D832F0456068EA83D

Located: Startup (common), Wireless Configuration Utility.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
file: C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
size: 425984
MD5: DE85112B26ABD7315E2F27569841A608

Located: WinLogon, avgrsstarter
command: avgrsstx.dll
file: avgrsstx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: Adobe - Adobe Reader download - All versions
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 10/23/2006 12:08:42 AM
Date (last access): 3/28/2009 3:36:40 PM
Date (last write): 10/23/2006 12:08:42 AM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (WormRadar.com IESiteBlocker.NavFilter)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\
BHO name: WormRadar.com IESiteBlocker.NavFilter
CLSID name: AVG Safe Search
Path: C:\Program Files\AVG\AVG8\
Long name: avgssie.dll
Short name:
Date (created): 3/26/2009 11:23:30 PM
Date (last access): 3/28/2009 3

16 PM
Date (last write): 3/26/2009 11:23:32 PM
Filesize: 1078552
Attributes: archive
MD5: A99B481A7EA094E13B5B99AA52AE1D82
CRC32: 55E8C189
Version: 8.5.0.268

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1.62\
Long name: SDHelper.dll
Short name:
Date (created): 3/27/2009 7:14:52 PM
Date (last access): 3/28/2009 3:35:18 PM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{91DE4477-9CDC-4806-9BCB-28A963988E94} (RepliGoIEHelperCtl Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: RepliGoIEHelperCtl Class
description: RepliGo, RepliGo
classification: Legitimate
known filename: RepliGoIEHelper.dll
info link: Cerience Corporation - RepliGo Document Solutions for Mobile Devices
info source: TonyKlein
Path: C:\Program Files\Cerience\RepliGo\
Long name: RepliGoIEHelper.dll
Short name: REPLIG~4.DLL
Date (created): 6/17/2004 6:54:56 PM
Date (last access): 3/28/2009 3:19:22 PM
Date (last write): 6/17/2004 6:54:56 PM
Filesize: 90112
Attributes: archive
MD5: 391B0BF0EE6C9B8EFD0994A010EB2DA0
CRC32: 1E87962D
Version: 2.0.7.4

{A057A204-BACC-4D26-9990-79A187E2698E} (AVG Security Toolbar)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AVG Security Toolbar
Path: C:\PROGRA~1\AVG\AVG8\
Long name: avgtoolbar.dll
Short name: AVGTOO~1.DLL
Date (created): 3/26/2009 11:23:44 PM
Date (last access): 3/28/2009 3

34 PM
Date (last write): 3/26/2009 11:23:44 PM
Filesize: 1968920
Attributes: archive
MD5: BD1500BC147B2EFBD984B5AFFFB00C33
CRC32: 2711A7C5
Version: 5.0.2.486

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Toolbar Helper
Path: C:\Program Files\Windows Live Toolbar\
Long name: msntb.dll
Short name:
Date (created): 10/11/2006 12:26:40 AM
Date (last access): 3/28/2009 3:36:42 PM
Date (last write): 10/11/2006 12:26:40 AM
Filesize: 544032
Attributes: archive
MD5: D638AFC241FCC42D15886CD26A3F1461
CRC32: EC0AD183
Version: 3.1.0.72

--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

MultiVoice Web Client (MultiVoice Web Client)
DPF name: MultiVoice Web Client
CLSID name:
Installer:
Codebase: http://www.bancolombia.com/atencione.../mvwc_IEDU.cab

{26D73573-F1B3-48C9-A989-E6CE071957A1} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\EGDACCESS.inf
Codebase: http://akamai.downloadv3.com/binarie...SS_1057_XP.cab
description:
classification: Confirmed as malware
known filename:
info link:
info source: Safer Networking Ltd.

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{3DAD912E-D2B9-4323-B7C9-7F2C5CC0C57B} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\EGDACCESS.inf
Codebase: http://scripts.downloadv3.com/binari...SS_1070_XP.cab
Path: C:\WINDOWS\system32\
Long name: EGDACCESS_1070.dll

{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class)
DPF name:
CLSID name: McAfee.com Operating System Class
Installer: C:\WINDOWS\Downloaded Program Files\mcinsctl.inf
Codebase: http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
description:
classification: Legitimate
known filename: mcinsctl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: mcinsctl.dll
Short name:
Date (created): 7/26/2004 8:13:00 PM
Date (last access): 3/28/2009 3:36:42 PM
Date (last write): 7/26/2004 8:13:00 PM
Filesize: 341064
Attributes: archive
MD5: 0EFDE57E367B9A02943B4AF664FD7BD5
CRC32: 0BF8EDF9
Version: 4.0.0.84

{640B39C1-D713-464F-92C3-75BD972B95EE} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\SbCIe02a.inf
Codebase: http://www.sidestep.com/get/k00719/sb02a.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{71CBDCD9-0830-4470-A890-35D364DA352C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\EGAUTH.inf
Codebase: http://scripts.downloadv3.com/binari...1047_EN_XP.cab
Path: C:\WINDOWS\
Long name: eg_auth_1047.dll

{82FC4503-8459-4239-9B85-0617BEAA950A} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\egaccess4.inf
Codebase: http://scripts.dlv4.com/binaries/ega...s4_1061_XP.cab
Path: C:\WINDOWS\system32\
Long name: egaccess4_1061.dll

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get.../ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\sysinetsvc32.inf
Codebase: http://scripts.downloadv3.com/binari...vc32_EN_XP.cab
description:
classification: Confirmed as malware
known filename: sysinetsvc32.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: sysinetsvc32.dll

{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
DPF name:
CLSID name: DwnldGroupMgr Class
Installer: C:\WINDOWS\Downloaded Program Files\McGDMgr.inf
Codebase: http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
description:
classification: Legitimate
known filename: McGDMgr.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: McGDMgr.dll
Short name:
Date (created): 7/22/2004 12:57:56 PM
Date (last access): 3/28/2009 3:36:42 PM
Date (last write): 7/22/2004 12:57:56 PM
Filesize: 279624
Attributes: archive
MD5: 0CCF6E82A3E90EAADCD9A89EAE5FF09F
CRC32: 23397BFE
Version: 1.0.0.21

{BFC9677B-8006-4336-9D49-2C797AEFCB9E} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\EGDACCESS.inf
Codebase: http://akamai.downloadv3.com/binarie...SS_1058_XP.cab
Path: C:\WINDOWS\system32\
Long name: EGDACCESS_1058.dll

{C2481ED1-9896-4D49-AE90-69858DFDE446} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\EGDACCESS.inf
Codebase: http://scripts.downloadv3.com/binari...SS_1073_XP.cab
Path: C:\WINDOWS\system32\
Long name: EGDACCESS_1073.dll

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/s...sh/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 6/9/2004 4:59:26 PM
Date (last access): 3/28/2009 3:36:42 PM
Date (last write): 6/9/2004 4:59:26 PM
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 7.0.19.0

--- Process list ---
PID: 0 ( 0) [System]
PID: 708 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 780 ( 708) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 812 ( 708) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 856 ( 812) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 868 ( 812) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1020 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1096 ( 856) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1256 ( 856) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1336 ( 856) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1592 ( 856) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 316 ( 856) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 332 (1916) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 752 ( 856) C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
size: 298264
MD5: 4688233E07402D0D85E723979804D93E
PID: 1176 ( 856) C:\WINDOWS\system32\cisvc.exe
size: 5632
MD5: 3192BD04D032A9C4A85A3278C268A13A
PID: 1408 ( 332) C:\WINDOWS\system32\hkcmd.exe
size: 126976
MD5: E4CF942A4AEA9D27C87F190F65E7D0F6
PID: 1424 ( 332) C:\WINDOWS\system32\pctspk.exe
size: 163840
MD5: 7BBED6A0BF998158E44CF9667C5D5860
PID: 1460 ( 332) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 110592
MD5: B437E814DC6AA842C482F64D9D2AFA1C
PID: 1516 ( 332) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 610304
MD5: 634DC62870B9E0C6C6AE25A75AC9895A
PID: 1528 ( 332) C:\Program Files\Dell\AccessDirect\dadapp.exe
size: 208560
MD5: 8D986354AF1F003D1FF8AFFD3FA0118F
PID: 1576 ( 332) C:\Program Files\Dell\QuickSet\quickset.exe
size: 368640
MD5: 4E5E14F25545241B90D70B0035F18020
PID: 1704 (1528) C:\Program Files\Dell\AccessDirect\DadTray.exe
size: 188416
MD5: 1FF79F761FAC50B53210F441824306AD
PID: 1740 ( 332) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 90112
MD5: CBBF60E054A7840C61513565377A8558
PID: 1752 ( 332) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 151597
MD5: A05DA809AC0D86D916D09E3A908D3A06
PID: 1768 ( 332) C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
size: 684032
MD5: BE3238A165AFB321F1696CC1FF9EF271
PID: 1788 ( 332) C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
size: 172032
MD5: B52553F69640B097F6D249B90E15FB79
PID: 1796 ( 332) C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
size: 63712
MD5: FC9E59FE8BC4FE05382CFF5C8FC59DE1
PID: 1648 ( 332) C:\Program Files\AVG\AVG8\avgtray.exe
size: 1932568
MD5: CB0BC853D84A61457AA9DB16C46DA07E
PID: 1908 ( 332) C:\windows\system32\ycouweo.exe
size: 270336
MD5: 428AF2087BF7453FCF5650B32CC830BD
PID: 1956 ( 752) C:\Program Files\AVG\AVG8\avgrsx.exe
size: 485144
MD5: 7ADFB0D513C0BBA494CA8022AB0A4805
PID: 1988 ( 752) C:\PROGRA~1\AVG\AVG8\avgnsx.exe
size: 594200
MD5: F0DEC9B60998D84CD9153428C5E3435F
PID: 132 ( 332) C:\Program Files\DellSupport\DSAgnt.exe
size: 460784
MD5: B75FDBF14073D72C50624CC8338DD534
PID: 312 ( 332) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 1156 ( 332) C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
size: 24576
MD5: 9CC0EE9CC93CD89427092FBFFD1BFF46
PID: 1548 ( 332) C:\Program Files\WinZip\WZQKPICK.EXE
size: 118784
MD5: 67B2E7B6AE3B400D832F0456068EA83D
PID: 912 ( 332) C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
size: 425984
MD5: DE85112B26ABD7315E2F27569841A608
PID: 2576 ( 856) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3052 ( 856) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3876 ( 332) C:\Program Files\Spybot - Search & Destroy 1.62\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 772 (1176) C:\WINDOWS\system32\cidaemon.exe
size: 8192
MD5: 582304F6F1946FA5068CF143D729D7ED
PID: 4 ( 0) System

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/28/2009 3:38:14 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
Live Search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
Live Search:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Yahoo!
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
MSN.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
Live Search
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.dellnet.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.dellnet.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
Live Search
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
Internet Explorer ??
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/es/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD nwlnkipx [IPX]
GUID: {11058240-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware UPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkipx *

Protocol 6: MSAFD nwlnkspx [SPX]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 7: MSAFD nwlnkspx [SPX] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 8: MSAFD nwlnkspx [SPX II]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 9: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
GUID: {11058241-BE47-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP Novell Netware SPX protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD nwlnkspx *

Protocol 10: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0D9A25F8-396F-4323-B8D1-2B5F88A4F03B}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0D9A25F8-396F-4323-B8D1-2B5F88A4F03B}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{99A2714D-12A1-42B4-A1D2-5FDA1B3345A3}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{99A2714D-12A1-42B4-A1D2-5FDA1B3345A3}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E5EC0A67-7EEA-48D6-BF30-90F5C13ABCA3}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E5EC0A67-7EEA-48D6-BF30-90F5C13ABCA3}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44384D42-251A-451A-AC5E-6C0027C3A81A}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44384D42-251A-451A-AC5E-6C0027C3A81A}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9DF6823A-3113-4BC9-9711-68BD2329C7BE}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9DF6823A-3113-4BC9-9711-68BD2329C7BE}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
GUID: {E02DAAF0-7E9F-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\nwprovau.dll
Description: Microsoft Windows NT/2k/XP Novell Netware name space provider
DB filename: %SystemRoot%\system32\nwprovau.dll
DB protocol: NWLink IPX/SPX/NetBIOS*

For Hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 11:00:55 PM, on 3/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\windows\system32\ycouweo.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy 1.62\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Yolanda\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Live Search:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 1.62\SDHelper.dll
O2 - BHO: (no name) - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ycouweo] "c:\windows\system32\ycouweo.exe" ycouweo
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy 1.62\TeaTimer.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: MultiVoice Web Client - http://www.bancolombia.com/atencione.../mvwc_IEDU.cab
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binarie...SS_1057_XP.cab
O16 - DPF: {3DAD912E-D2B9-4323-B7C9-7F2C5CC0C57B} - http://scripts.downloadv3.com/binari...SS_1070_XP.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downloadv3.com/binari...1047_EN_XP.cab
O16 - DPF: {82FC4503-8459-4239-9B85-0617BEAA950A} - http://scripts.dlv4.com/binaries/ega...s4_1061_XP.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binarie...SS_1058_XP.cab
O16 - DPF: {C2481ED1-9896-4D49-AE90-69858DFDE446} - http://scripts.downloadv3.com/binari...SS_1073_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

VopThis · #2 (**permalink**) 28-03-2009, 10:04 PM

* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
Run the scan in SAFEMODE (tapping the F8 key on bootup), if necessary.
If an update is found, it will download and install the latest version.
If you encounter any problems while downloading the updates, manually download them from HERE and just double-click on mbam-rules.exe to install.
Once the program has loaded, select "Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked , and click Remove Selected.
When disinfection is completed , a log will open in Notepad and you may be prompted to Restart(See Extra Note).
A run log is automatically saved by MBAM and can be viewed by clicking the Logs TAB in MBAM.
Copy&Paste the entire report in your next reply .
Please post any current revised observations.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

You are using an outdated version of HijackThis. Please uninstall the current version and install latest version as per instructions below:

Click here to download HJTInstall.exe (Trend Micro HijackThis v2.0.2).

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\HijackThis.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch HijackThis.
Click on the Do a system scan and save a logfile button.
- It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply (when next requested) .
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Post your latest HijackThis LOG, please.

John Lane · #3 (**permalink**) 29-03-2009, 01:02 AM

Ok. I have done the requested scans and I have cpied and pasted the log files below. The good news is that the Drive cleaner icon disappered from the desktop and I was able to logon to the D-A-L website from the laptop. Please let me know the next steps. Thanks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:56 PM, on 3/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Yolanda\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Live Search:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.62\SDHelper.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ycouweo] "c:\windows\system32\ycouweo.exe" ycouweo
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy 1.62\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1.62\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1.62\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: MultiVoice Web Client - http://www.bancolombia.com/atencione.../mvwc_IEDU.cab
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binarie...SS_1057_XP.cab
O16 - DPF: {3DAD912E-D2B9-4323-B7C9-7F2C5CC0C57B} - http://scripts.downloadv3.com/binari...SS_1070_XP.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downloadv3.com/binari...1047_EN_XP.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binarie...SS_1058_XP.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

--
End of file - 8119 bytes

Malwarebytes' Anti-Malware 1.35
Database version: 1912
Windows 5.1.2600 Service Pack 2

3/28/2009 7:43:12 PM
mbam-log-2009-03-28 (19-43-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 103410
Time elapsed: 43 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 136

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{82fc4503-8459-4239-9b85-0617beaa950a} (Dialer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{C2481ED1-9896-4D49-AE90-69858DFDE446} (Adware.Instant Access) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{d714a94f-123a-45cc-8f03-040bcaf82ad6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{82fc4503-8459-4239-9b85-0617beaa950a} (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{C2481ED1-9896-4D49-AE90-69858DFDE446} (Adware.Instant Access) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{932f0047-2e1c-48b0-882c-0989afbc0b76} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b9584c5-f3ec-4256-aa96-6202ba27fe99} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ac15a0c-4e70-419f-8bfa-266624b490ed} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\Instant Access (Adware.InstantAccess) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\drivecleaner freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\drivecleaner freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Instant Access (Adware.InstantAccess) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Common Files\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yolanda\Application Data\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yolanda\Application Data\DriveCleaner Freeware\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\DriveCleaner Freeware\Activate.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\atl71.dll (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\AV.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\bnlink.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\diagnosis.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\err.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\lapv.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\license.rtf (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\manual.url (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\mfc71.dll (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\msvcp71.dll (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\msvcr71.dll (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\pv.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\pv.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\readme.rtf (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\remnag.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\ScanReport.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Schedule.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\sr.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\support.url (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\UDC.xml (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\UDC6.url (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\UDCPChk.dll (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\unins000.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\unins000.exe (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\uninstall.ico (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\UninstallPage.html (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\up.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\updater.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\vbpv.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\AE_CD_Cr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\AReadr4.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\AReadr5.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\ASDSEEpv.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\ASPack.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\Babylon.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\BDelphi5.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\CatchUp.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\CBuildr5.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\CCGA.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\CManager.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\CuteFTP4.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\CuteHTML.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\DAcceler.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\DiscJug.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\ECDCreat4.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\Far.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\FFTsks.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\FlashFXP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\FrntPage.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\FrontPEx.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\FtpEXP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\FtpVoya.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\GetRight.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\GoZilla.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\GravMRU.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\HomeSite.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\HotDogPr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\H_TxtPad.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\IconExtr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\iMesh.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\ImgReady3.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\InsShExp.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\JASC_P_P.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\KaZaA.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\LView.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MacDir.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MacDrWea.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MicAng.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MicDes.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MMUnDisk.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MM_CON.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\Morpheus.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MPaint.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MPicPub.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MPImaGal.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MSExplorer.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MSoffice.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MSRegEdit.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MSWMP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\MSWordPad.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\Nero.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\NetShow.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\NTBackup.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\pfilelst.xda (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\PhotShel.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\PHPCoder.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\PowerZIP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\RapidBr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\RealAuPl.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\RealDown.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\SecurCRT.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\SL_BlWin.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\SmartClr.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\Sonique.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\StuffIt.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\TelepPro.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\UGifAnim.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\UltraEd.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\UMedStud.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\UPhImpV.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\UPhotoEx.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\UVidStud.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\VNC.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\WebFeret.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\WebReap.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\WinACE.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\WinGate.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\WinRAR.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\WinZIP.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\WiseInst.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\wordslst.xda (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\YahooPl.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\Appbase\ZipMagic.dat (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img\button.gif (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img\button2.gif (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img\header.gif (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img\logo.gif (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img\spacer.gif (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img\top1.jpg (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img\top2.jpg (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Program Files\DriveCleaner Freeware\img\top_line.gif (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Freeware\DriveCleaner Freeware.lnk (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Freeware\DriveCleaner HomePage.lnk (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Freeware\DriveCleaner Online Manual.lnk (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Freeware\DriveCleaner Online Support.lnk (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Freeware\Uninstall DriveCleaner.lnk (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yolanda\Application Data\DriveCleaner Freeware\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yolanda\Start Menu\NoCreditCard.lnk (Dialer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yolanda\Desktop\DriveCleaner Freeware.lnk (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\NoCreditCard.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\EGDAccess.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\sysinetsvc32.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\tmlpcert2007 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ycouweo_navps.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ycouweo_nav.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.

VopThis · #4 (**permalink**) 29-03-2009, 01:41 AM

Quote:

C:\Documents and Settings\Yolanda\Desktop\HiJackThis.exe

You have save the revised HijackThis application back to the desktop. This is most inadvisable for clutter issues and potential for lost backup items. Please uninsrtall and reinstall as per EXACT steps previously given:

Quote:

By default it will install to C:\Program Files\HijackThis\.

Please disable the ‘active protection’ components of the following application(s), as it/they may hinder the removal of some entries. Otherwise, certain cleaning attempts may be wrongly recognized and blocked as hijacking attempts or other potentially inappropriate behavior. You can re-enable such tools after your computer is clean.

Disable Spybot S&D (Teatimer)

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

When disabled, please download (recommend using Internet Explorer) ResetTeaTimer.bat
Double-click ResetTeaTimer.bat to remove all entries set by TeaTimer. This is done so it can be re-enabled without problems after cleaning.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O4 - HKLM\..\Run: [ycouweo] "c:\windows\system32\ycouweo.exe" ycouweo
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binarie...SS_1057_XP.cab
O16 - DPF: {3DAD912E-D2B9-4323-B7C9-7F2C5CC0C57B} - http://scripts.downloadv3.com/binari...SS_1070_XP.cab
O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downloadv3.com/binari...1047_EN_XP.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binarie...SS_1058_XP.cab

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

POST A REVISED HIJACKTHIS LOG for review:

Reboot.
Run another full MBAM scan.
Post a new HijackThis log.
Provide any feedback commentary as appropriate - how things are now behaving: any new or remaining apparent issues.

John Lane · #5 (**permalink**) 29-03-2009, 03:48 AM

I have disabled the TeaTimer in Spybot as requested and restarted the computer but I can't download the ResetTeaTimer.bat file from the link provided. I have tried searching for an alternate download site but I ca't find one that works. Can you please attach the bat file so I can save it directly from the email.

Thanks,
John Lane

VopThis · #6 (**permalink**) 29-03-2009, 05:31 AM

For now, I would suggest you proceed, regardless.

If the ResetTeaTimer download is not available (couldn't find any sign of it or any mention of reasons for its possible discontinuance), then a decision will need to be made at a later point whether to not re-enable Teatimer at all or perhaps simply uninstall SpyBot altogether. There are really better apps out there, now.

John Lane · #7 (**permalink**) 29-03-2009, 11:31 PM

Ok I have been through the steps you suggested.

MBam found four more problems and corrected them. The log is posted below:

Malwarebytes' Anti-Malware 1.35
Database version: 1912
Windows 5.1.2600 Service Pack 2

3/29/2009 6:09:48 PM
mbam-log-2009-03-29 (18-09-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 105708
Time elapsed: 56 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{C2481ED1-9896-4D49-AE90-69858DFDE446} (Adware.Instant Access) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\ycouweo_navps.dat (Adware.NaviPromo) -> No action taken.
C:\WINDOWS\SYSTEM32\ycouweo_nav.dat (Adware.NaviPromo) -> No action taken.

The HighJackThis Log is as folows after the last MBam scan and restart:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:12 PM, on 3/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Yolanda\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Live Search:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.62\SDHelper.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless CardBus & PCI Adapter HW.11 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1.62\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1.62\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: MultiVoice Web Client - http://www.bancolombia.com/atencione.../mvwc_IEDU.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

--
End of file - 7057 bytes

I loaded Firefox and can get to pages that let me enter user names and passwords but I can't get internet explorer to work on any page now. I would really like to have Internet Explorer operational also as some sites still don't work correctly using Firefox.

Thanks for all your help. Things are beginning to improve.

-John

VopThis · #8 (**permalink**) 30-03-2009, 04:37 PM

Quote:

Files Infected:
C:\WINDOWS\SYSTEM32\ycouweo_navps.dat (Adware.NaviPromo) -> No action taken.
C:\WINDOWS\SYSTEM32\ycouweo_nav.dat (Adware.NaviPromo) -> No action taken.

Please ensure you fixed that latest items found by MBAM - since that is not what is reflected in the posted LOG.

INTERNET EXPLORER PROBLEMS:

Let's see if the winsock fix will take care of this issue... you may need to download it on another pc from here:

WinSock XP Fix Freeware download and review - fix XP internet connectivity from SnapFiles (1412 kb)

put it on a CD or flash drive and then take it to the ailing pc... run the file and then click "fix". Let it do its thing. If it doesn't ask you to reboot, please do so after it is complete.

Try your Internet connection now.

If needed, here are several additional steps you can also try:

You could try to 'Add/Remove Programs' for 'Internet Explorer' (in the Control Panel) - and select the 'Repair Internet Explorer' option and see if that solves your issues.
Try running IEFix - General purpose fix for Internet Explorer:
IEFix Utility - Description

John Lane · #9 (**permalink**) 01-04-2009, 04:01 AM

OK.

I tried both the Winsockxpfix and IE Fix Programs neither seemed to solve the problem. I don't have the original Windows XP disk for this computer so I am not sure if that had an influence on the IEFix program not working, When I went to the control panel and tried to use the Intermnet Explorer Repair option I can't find Internet Explorer in the list of installed programs. I downloaded Internet Explorer & prior to trying to clean the computer and when I run that program I get a message saying " Setup could not verify the integrity of files needed for installation. Make sure that Cryptographic service is runningon this computer.

Any other ideas? Please let me know.

Thanks,
John

VopThis · #10 (**permalink**) 01-04-2009, 02:48 PM

Have a look at this link for a list of comprehensive fix possibilities:
http://support.microsoft.com/kb/318378

Might want to do the following scan, first:

Download SUPERAntiSpyware (SAS) free home version:

SUPERAntiSpyware.com - AntiAdware. AntiSpyware. AntiMalware.

Install it and double-click the icon on your desktop to run it:

It will ask if you want to update the program definitions, click "Yes",
Let it through your firewall!
Under "Configuration and Preferences", click the Preferences BUTTON.
Click the Scanning Control TAB.
Under "Scanner Options" make sure the following and additional items are checked:
- Close browsers before scanning
- Scan for tracking cookies (default)
- Terminate memory threats before quarantining.
- Ignore System Restore/Volume Information on ME and XP
- Click the Close button to leave the control center screen.
On the main screen, under "Scan for Harmful Software" click Scan your computer.
- On the left check "C:\Fixed Drive".
- On the right, under "Complete Scan", choose Perform Complete Scan.
- Click "Next" to start the scan. Please be patient while it scans your computer.
- After the scan is complete a summary box will appear. Click "OK".
- Make sure everything in the white box has a check next to it, then click "Next".
- It will quarantine what it found and if it asks if you want to reboot, click "Yes".
To retrieve the removal information - please do the following:
- After reboot, double-click the "SUPERAntiSpyware icon" on your desktop.
- Click "Preferences". Click the Statistics/Logs TAB.
- Under "Scanner Logs", double-click "SUPERAntiSpyware Scan Log".
- It will open in your default text editor (such as Notepad/Wordpad).
- Please highlight everything , then right-click and choose copy.
Click close and close again to exit the program.
Please paste:
- The SAS LOG information.

Quote:

I can't find Internet Explorer in the list of installed programs.

Look for 'Windows Internet Explorer 7' or 'Microsoft ...'

Quote:

Make sure that Cryptographic service is running on this computer.

You cannot install some updates or programs
[NOTE: Unfortunately, SFC scan may need a XP installation disk] "Cryptographic service" started sfc - Google Search
"Cryptographic service" started - Google Search