Jump to content


Photo

metacrawl problem


  • This topic is locked This topic is locked
20 replies to this topic

#1 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 December 2006 - 04:35 PM

Hi,
I did full scan of computer with Kaspersky Internet Security 6.0 and after cleaning it states that everything is ok, no more problems.
Then I did SpyBot full system check and that also stated that no other threat is present.
Everything else works as it should
BUT
when I type something without .com or .whatever in addressbar
ussually it would display google results, but now it send me to anoying http://www.metacrawl...CoqKno2YzYyazI=

thanx in advance
Enes



--- Report generated: 2006-12-27 14:55 ---

Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-12-25 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-06 advcheck.dll (1.0.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-12-08 Includes\Dialer.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-22 Includes\Malware.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-08 Includes\Trojans.sbi (*)
2006-12-22 Includes\Cookies.sbi (*)
2006-12-22 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-22 Includes\TrojansC.sbi (*)
2006-12-22 Includes\SpybotsC.sbi (*)
2006-12-22 Includes\SecurityC.sbi (*)
2006-12-22 Includes\PUPSC.sbi (*)
2006-12-22 Includes\MalwareC.sbi (*)
2006-12-22 Includes\KeyloggersC.sbi (*)
2006-12-22 Includes\HijackersC.sbi (*)
2006-12-22 Includes\DialerC.sbi (*)



HIJACK LOG

Logfile of HijackThis v1.99.1
Scan saved at 11:28:30 PM, on 12/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\arc.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Sliber\Sliber.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Documents and Settings\Administrator\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
R3 - URLSearchHook: (no name) - {D6E7372B-F8EE-F549-9AFA-F4FA4CAE689D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Slibe.com] "C:\Program Files\Sliber\Sliber.EXE"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159315090250
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Attached Files


Edited by enes, 28 December 2006 - 06:37 AM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 30 December 2006 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 05 January 2007 - 10:45 AM

Hi,

Scan with HiJackThis and put a check in the box next to the following items;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
R3 - URLSearchHook: (no name) - {D6E7372B-F8EE-F549-9AFA-F4FA4CAE689D} - (no file)


Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

Restart.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
· http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Also:
Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread, and let me know if the problem is still there.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#4 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 06 January 2007 - 07:10 AM

thanx jedi, may the force be with you :-)
did everything that you told me. Dr.web scan did not find any problems.
but still if I type sometnig in addressbar without .com it redirects me to metacrawl :grrr:
and there is this "rеgedit.exe" file on C: volume thats still there nad I think it sholdn't be
also if I try to uninstall yahoo toolbar i get Proactive defense warning from kaspersky that C:\Program Files\Yahoo!\Common\unyt.exe running hidden installation into system. So i deny this action. :techsupport:


here is the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 2:04:20 PM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AppleTime.exe
C:\WINDOWS\system32\arc.exe
C:\Program Files\Apple Keyboard Support\KbdMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Sliber\Sliber.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Slibe.com] "C:\Program Files\Sliber\Sliber.EXE"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159315090250
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Edited by enes, 06 January 2007 - 07:22 AM.


#5 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 07 January 2007 - 05:41 AM

Hi again,

Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

Do you want to remove the Yahoo toolbar?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#6 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 January 2007 - 07:04 AM

Hi, did it here is the log file
and yes, I want google toolbar removed if there isn't other way

best regards,
enes


"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AppleTime" = "C:\WINDOWS\system32\AppleTime.exe" ["Apple Computer, Inc."]
"arc" = "C:\WINDOWS\system32\arc.exe" ["Apple Computer, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"Apple_KbdMgr" = ""C:\Program Files\Apple Keyboard Support\KbdMgr.exe"" ["Apple Computer, Inc."]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"ISUSPM Startup" = ""c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["Macrovision Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]
"Slibe.com" = ""C:\Program Files\Sliber\Sliber.EXE"" [null data]
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]
"(Default)" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

#7 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 07 January 2007 - 11:08 AM

Hi,

This report is incomplete, did you cut off the end of it? Can you please post the full one, you may need two posts to fit it all in. Thanks.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#8 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 January 2007 - 11:40 AM

sorry, here it is


"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AppleTime" = "C:\WINDOWS\system32\AppleTime.exe" ["Apple Computer, Inc."]
"arc" = "C:\WINDOWS\system32\arc.exe" ["Apple Computer, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"Apple_KbdMgr" = ""C:\Program Files\Apple Keyboard Support\KbdMgr.exe"" ["Apple Computer, Inc."]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"ISUSPM Startup" = ""c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["Macrovision Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]
"Slibe.com" = ""C:\Program Files\Sliber\Sliber.EXE"" [null data]
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]
"(Default)" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus"
-> {HKLM...CLSID} = "Web Anti-Virus"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = ""C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]
"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Kaspersky Internet Security 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r" ["Kaspersky Lab"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
RaySat_3dsmax8 Server, mi-raysat_3dsmax8, ""C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe"" [null data]
TabletService, TabletService, "C:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."]
TuneUp Design Expansion, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 314 seconds.
---------- (total run time: 357 seconds)

#9 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 08 January 2007 - 01:32 PM

Hi,

Do Start > My Computer > Local Disk C > Program Files > Internet Explorer > Plugins

Check through the desciptions and let me know if any of them refer to Metacrawl.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#10 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 January 2007 - 07:10 PM

sorry I did not mention this earlier, I use mozilla, IE is working as it should, actualy I don't use it at all
there isn't anything like metacrawl in plugins folder, I checked firefox plugins folder and same thing there

but there is something else suspicious, I think that has something wrong with rеgedit.exe, its showed like that but when i open the C volume total commander reports this
Attached File  tc.jpg   44.46KB   5 downloads
and definitely there is something wrong with yahoo toolbar that I can not uninstall

best regards
enes

Edited by enes, 08 January 2007 - 07:11 PM.


#11 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 11 January 2007 - 06:49 AM

Hi,

Please run Notepad and paste the following text into a new file:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=-


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Do Start > My Computer > Local Disk C > Program Files and delete Yahoo folder if present.

Next:

==Download, install, and update AVG Anti-Spyware 7.5
  • Save the installer to desktop
  • Double click the installer, select your language, and then select OK
  • Click NEXT>>Do or don't read the "User License Agreement"
    Select I Agree>>>NEXT>>>INSTALL
  • AVG will now install and afterwards click FINISH
  • AVG Anti-Spyware 7.5 should now Load
  • Click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close AVG Anti-Spyware 7.5. Do not run it yet.
Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears.
Sign in with your normal user account

Once in safe mode
  • Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and
    Uncheck "Only if Threats are found"
  • Click back to the "Scan" tab and then click on Complete System Scan.
    This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Please post the results of the AVG scan, and a fresh HiJackThis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#12 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 12 January 2007 - 07:39 AM

here are the files you requested

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:28:47 PM 1/12/2007

+ Scan result:



F:\install\!ae plugs\after plugin\Plugin ReelSmart Twixtor AVX\Twixtor patch\smarter.exe -> Backdoor.Theef.111 : Cleaned.
F:\install\Active@_Undelete_v2[1].0.zip/Active@ Undelete v2.0 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
F:\install\mosaic\patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
:mozilla.132:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.133:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.134:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.135:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.136:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.137:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.138:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.139:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.155:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.156:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.157:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.158:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.159:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.160:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.161:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.162:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.163:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.164:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.165:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.166:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.167:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.168:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.169:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.186:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.350:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.456:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.501:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.623:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.672:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.737:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.801:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.872:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.114:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.115:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.178:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.311:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.67:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.68:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.309:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.310:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.320:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.321:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.705:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.706:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.202:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.75:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.76:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.77:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.430:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.441:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Com : Cleaned.
:mozilla.805:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Comclick : Cleaned.
:mozilla.806:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Comclick : Cleaned.
:mozilla.807:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Comclick : Cleaned.
:mozilla.78:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.467:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.254:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.255:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.256:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.291:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.293:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.294:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.338:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.339:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.340:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.725:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.760:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.761:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.830:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.306:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.539:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.444:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Information : Cleaned.
:mozilla.566:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.745:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.120:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.123:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.124:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.236:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.146:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.164:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.679:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.776:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.191:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Paypopup : Cleaned.
:mozilla.274:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.278:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.279:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.280:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.316:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.317:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.318:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.319:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.714:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.715:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.717:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.718:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[3].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.443:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.737:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[3].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.474:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.475:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.476:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.477:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.753:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.754:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.755:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.756:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.757:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.823:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.793:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.794:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.795:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.304:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.50:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.51:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.52:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.53:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.54:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.55:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.56:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.58:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.59:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.60:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.61:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.62:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.63:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.65:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.66:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.67:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.68:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.69:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.70:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.71:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.72:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.217:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.218:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.219:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.605:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.606:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.863:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.516:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.686:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.687:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.688:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.689:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.690:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.691:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.667:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.829:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.864:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.865:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.866:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.884:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.855:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.856:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.100:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.101:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.102:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.853:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.854:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.455:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.305:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.880:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.189:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.190:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.901:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.902:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6hlggh08.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned.
E:\!backup_enes\web\ZEZ\korisno\flash\flash windowless\mproj\mprojector v.1.0 (11t) - crack.exe -> Trojan.Proxcrak.A : Cleaned.


::Report end






Logfile of HijackThis v1.99.1
Scan saved at 2:30:45 PM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\totalcmd\TOTALCMD.EXE
C:\hijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AppleTime] C:\WINDOWS\system32\AppleTime.exe
O4 - HKLM\..\Run: [arc] C:\WINDOWS\system32\arc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apple_KbdMgr] "C:\Program Files\Apple Keyboard Support\KbdMgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Slibe.com] "C:\Program Files\Sliber\Sliber.EXE"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159315090250
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe




best regards,
enes

#13 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 January 2007 - 10:18 AM

Hi again,

Are you still getting the same problem, and have you still got the Yahoo toolbar?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#14 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 12 January 2007 - 12:33 PM

hi,
yes still the same metacrawl, but yahoo is gone :-)

and there is this on C volume,

Attached File  regedit.gif   8.2KB   12 downloads

can I just delete it or is it something more complicated?

best regards
enes

#15 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 January 2007 - 12:53 PM

Hi again,

That's interesting.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#16 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 13 January 2007 - 03:42 AM

"Administrator" - 07-01-13 9:59:53 Service Pack 2
ComboFix 07-01-12 - Running from: "C:\Documents and Settings\Administrator\Desktop\download"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\WINDOWS\çSKS~1
C:\qoobox\purity\Program Files\Common Files\SCURIT~1
C:\qoobox\purity\Program Files\Common Files\SCURIT~1\s?curity


((((((((((((((((((((((((((((((( Files Created from 2006-12-13 to 2007-01-13 ))))))))))))))))))))))))))))))))))


2007-01-12 11:07 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-12 11:07 <DIR> d-------- C:\Program Files\Grisoft
2007-01-11 14:35 <DIR> d-------- C:\Program Files\Blogg-X
2007-01-06 11:54 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-01-05 21:00 <DIR> d--h----- C:\WINDOWS\PIF
2006-12-30 12:18 <DIR> d--hs---- C:\FOUND.001
2006-12-28 19:14 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2006-12-28 19:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2006-12-28 19:13 <DIR> d-------- C:\Program Files\Microsoft.NET
2006-12-28 19:13 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2006-12-27 12:18 <DIR> d-------- C:\hijackThis
2006-12-27 12:12 <DIR> d-------- C:\WINDOWS\pss
2006-12-27 11:10 <DIR> d--hs---- C:\FOUND.000
2006-12-27 10:51 37,027 --a------ C:\WINDOWS\atmoUn.exe
2006-12-27 10:51 <DIR> d-------- C:\Program Files\Viewpoint
2006-12-27 10:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Viewpoint
2006-12-26 04:38 <DIR> d-------- C:\autoruns
2006-12-26 04:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\.TrueSwordSettings
2006-12-26 03:19 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2006-12-26 03:19 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2006-12-26 03:19 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\TuneUp Software
2006-12-26 03:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-12-26 03:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TuneUp Software
2006-12-25 20:26 <DIR> d-------- C:\Program Files\Kaspersky Lab
2006-12-25 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Kaspersky Lab
2006-12-25 20:25 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\WTablet
2006-12-25 20:23 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-12-25 20:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2006-12-24 19:50 190,976 --a------ C:\r?gedit.exe
2006-12-24 19:50 <DIR> d-------- C:\Program Files\IEToolbar
2006-12-24 18:14 <DIR> d-------- C:\Program Files\MailNavigator
2006-12-18 22:10 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-12-18 22:10 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-18 22:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-18 22:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-18 18:17 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-12-18 17:18 <DIR> d-------- C:\WINDOWS\Sun
2006-12-18 17:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Sun
2006-12-18 17:17 <DIR> d-------- C:\Program Files\Java
2006-12-18 17:16 <DIR> d-------- C:\Program Files\Common Files\Java


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-12 20:16 2828 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2006-12-26 04:18 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\.trueswordsettings
2006-12-10 16:58 82 --ah----- C:\._msvci70.dll
2006-12-10 16:58 82 --ah----- C:\._CONFIG.SYS
2006-12-10 16:58 82 --ah----- C:\._AUTOEXEC.BAT
2006-11-17 16:22 -------- d-------- C:\Program Files\msxml 4.0
2006-11-15 15:44 18273 --a------ C:\WINDOWS\system32\drivers\klop.sys
2006-11-08 06:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-01 17:42 94314 --a------ C:\WINDOWS\system32\klogon.dll
2006-10-26 09:36 73 --a------ C:\WINDOWS\system32\ssprs.dll
2006-10-26 09:36 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2006-10-25 16:53 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2006-10-25 16:53 1025 --a------ C:\WINDOWS\system32\clauth2.dll
2006-10-25 16:53 1025 --a------ C:\WINDOWS\system32\clauth1.dll
2006-10-19 14:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2006-10-18 21:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488 --------- C:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47 757248 --a------ C:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896 --------- C:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a------ C:\WINDOWS\system32\wmspdmod.dll
2006-10-18 21:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvadve.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvadvd.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\mp4sdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\mp43dmod.dll
2006-10-18 21:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- C:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- C:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47 212992 --------- C:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168 --------- C:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912 --------- C:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- C:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47 1382912 --------- C:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47 133632 --------- C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47 1329152 --a------ C:\WINDOWS\system32\wmspdmoe.dll
2006-10-18 21:47 132096 --------- C:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a------ C:\WINDOWS\system32\laprxy.dll
2006-10-18 21:47 1117696 --a------ C:\WINDOWS\system32\wmadmoe.dll
2006-10-18 21:47 101888 --------- C:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-14 16:21 0 -rahs---- C:\MSDOS.SYS
2006-10-14 16:21 0 -rahs---- C:\IO.SYS
2006-10-14 16:21 0 --a------ C:\CONFIG.SYS
2006-10-14 16:21 0 --a------ C:\AUTOEXEC.BAT
2006-10-13 13:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 13:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 13:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AppleTime"="C:\\WINDOWS\\system32\\AppleTime.exe"
"arc"="C:\\WINDOWS\\system32\\arc.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Apple_KbdMgr"="\"C:\\Program Files\\Apple Keyboard Support\\KbdMgr.exe\""
"RTHDCPL"="RTHDCPL.EXE"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Slibe.com"="\"C:\\Program Files\\Sliber\\Sliber.EXE\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""
@=""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"="ALCMTR.EXE"
"SkyTel"="SkyTel.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070109-040138-826
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20070106-115048-210
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
backup-20070106-115048-847
R3 - URLSearchHook: (no name) - {D6E7372B-F8EE-F549-9AFA-F4FA4CAE689D} - (no file)
backup-20070106-115048-815
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
backup-20070106-115048-931
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: 07-01-13 10:31:57

best regards,
enes

#17 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 January 2007 - 05:24 AM

Hi again,

The folders with the ??s in them are from PurityScan, which is Adware and could well be responsible for the redirects. It looks like ComboFix got it, but it may have missed this one:
C:\r?gedit.exe
So can you search for this one, the ? will be a foreign character or a symbol. If you find it, delete it. Let me know how this goes.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#18 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 13 January 2007 - 07:39 PM

the only file that I found was C:/regedit.exe, i deleted it but still no change, evil redirection was still there so i reinstalled firefox and now it seems that everything is working fine, no more metacrawl shit :evilgrin:
besides that, I don't see anything else suspicious so I guess thats it.

thanx for help ^_^

best regards,
enes

#19 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 14 January 2007 - 07:00 AM

Hi again,

Glad you solved your problem and hopefully I was some help. :D

Take care.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#20 enes

enes

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 January 2007 - 07:00 PM

definitely, thank you very much
best regards
enes

#21 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 15 January 2007 - 02:04 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button