Options
Offeroptimizer popups...computer freezes alot, wont' shutdown
I get the offeroptimizer popups, the computer freezes periodically, and on shutdown just hangs. I am running windows 98 1st edition.
Ok, Spybot and adaware has been updated and ran.
This scan was run in safe mode, with all hidden files and folders enabled.
Logfile of HijackThis v1.99.1
Scan saved at 3:21:48 PM, on 7/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACK\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/p/hp/?http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\NETZERO\QSACC\X1IEBHO.DLL (file missing)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [aiepk] C:\WINDOWS\DESKTOP\AIEPK2.EXE
O4 - HKLM\..\Run: [vptjhc] c:\windows\system\vptjhc.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\INSTANT MESSENGER\AIM.EXE
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {BF8AEBF6-0656-11d4-9EFF-00B0D011B1AE} (Communities.com TPV Support 01) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/ws1_x.cab
Thanks all
Ok, Spybot and adaware has been updated and ran.
This scan was run in safe mode, with all hidden files and folders enabled.
Logfile of HijackThis v1.99.1
Scan saved at 3:21:48 PM, on 7/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACK\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/p/hp/?http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\NETZERO\QSACC\X1IEBHO.DLL (file missing)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [aiepk] C:\WINDOWS\DESKTOP\AIEPK2.EXE
O4 - HKLM\..\Run: [vptjhc] c:\windows\system\vptjhc.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\INSTANT MESSENGER\AIM.EXE
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {BF8AEBF6-0656-11d4-9EFF-00B0D011B1AE} (Communities.com TPV Support 01) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/ws1_x.cab
Thanks all
0
Comments
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/p/hp/?http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [vptjhc] c:\windows\system\vptjhc.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
Delete these files or directories if they exist:
C:\WINDOWS\SYSTB.DLL
C:\WINDOWS\BTGRAB.DLL
c:\windows\system\vptjhc.exe
C:\WINDOWS\SYSTEM\Shdocvw.dll
Run panda softwares activescan and save the results of this scan. Post the results of activescan with a new Hijack This log.
C:\WINDOWS\SYSTEM\Shdocvw.dll
It wasn't listed in safe mode, and in normal mode, can't delete it cause its a running process.
Ok...this is my Active Scan Results. Next post will be highjack this results.
Incident Status Location
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM\cd_clint.dll
Adware:adware/twain-tech No disinfected C:\WINDOWS\SYSTEM\POLALL1M.EXE
Adware:adware/ipinsight No disinfected C:\WINDOWS\TEMP\alchem.cab
Adware:adware/toprebates No disinfected C:\WINDOWS\TEMP\djtopr1150.exe
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Adware:adware/ieplugin No disinfected HKEY_CURRENT_USER\SOFTWARE\INTEXP
Adware:adware/btgrab No disinfected HKEY_CURRENT_USER\SOFTWARE\BTGRAB
Adware:adware/mbkwbar No disinfected HKEY_CURRENT_USER\SOFTWARE\MBKWBAR
Adware:adware/comet No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{FE6BC4EF-5676-484B-88AE-883323913256}
Adware:adware/topmoxie No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
Spyware:spyware/betterinet No disinfected HKEY_CLASSES_ROOT\TypeLib\{72892e8e-75df-4cd2-be11-e9a0077f44a8}
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\POLALL1M.EXE
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\INF\TWAINTEC.INF
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\POLALL1R.INF
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\BTGRAB.INF
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\FARMMEXT.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\randreco.exe
Adware:Adware/Comet No disinfected C:\WINDOWS\TEMP\ccu\comet.cab[csbho.dll]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\alchem.cab
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\alchem.cab[alchem.inf]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\alchem.cab[alchem.exe]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\alchem.cab[alchem.ini]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\alchem.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\alchem.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\alchem.ini
Virus:Trj/Downloader.OU Disinfected C:\WINDOWS\TEMP\wupdt.exe
Virus:Trj/Downloader.GK Disinfected C:\WINDOWS\TEMP\poltt.cab
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\poltt.exe
Virus:Trj/Downloader.GK Disinfected C:\WINDOWS\TEMP\polmx.cab
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\polmx.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\TEMP\djtopr1150.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\twaintec.cab
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\twaintec.cab[twaintec.inf]
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\twaintec.cab[twaintec.dll]
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\twaintec.cab[preInsTT.exe]
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\twaintec.cab[polall1m.exe]
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\twaintec.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\twaintec.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\preInsTT.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\polall1m.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\satmat.cab[satmat.inf]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\satmat.cab[satmat.exe]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\satmat.cab[satmat.ini]
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\satmat.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\satmat.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\satmat.ini
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\btgupg.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\mm_reco.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\randreco.exe
Adware:Adware/BTGrab No disinfected C:\WINDOWS\TEMP\btgrab.cab
Adware:Adware/BTGrab No disinfected C:\WINDOWS\TEMP\btgrab.cab[btgrab.inf]
Adware:Adware/BTGrab No disinfected C:\WINDOWS\TEMP\btgrab.cab[BTGrab.dll]
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\btgrab.cab[polall1b.exe]
Adware:Adware/BTGrab No disinfected C:\WINDOWS\TEMP\btgrab.inf
Adware:Adware/BTGrab No disinfected C:\WINDOWS\TEMP\BTGrab.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\polall1b.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\FARMMEXT.EXE
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\PREINSTT.EXE
Adware:Adware/IPInsight No disinfected C:\WINDOWS\ALCHEM.EXE
Adware:Adware/Transponder No disinfected C:\WINDOWS\POLMX.EXE
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TWAINTEC.DLL
Adware:Adware/Imibar No disinfected C:\RECYCLED\DC0.EXE
Adware:Adware/Twain-Tech No disinfected C:\RECYCLED\DC1.EXE
Adware:Adware/BTGrab No disinfected C:\RECYCLED\DC2.DLL
Adware:Adware/Imibar No disinfected C:\RECYCLED\DC3.DLL
Adware:Adware/TopRebates No disinfected C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
Adware:Adware/TopMoxie No disinfected C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
Adware:Adware/TopRebates No disinfected C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe
Adware:Adware/Imibar No disinfected C:\Hijack\backups\backup-20050723-164341-144.dll
Adware:Adware/BTGrab No disinfected C:\Hijack\backups\backup-20050723-164341-327.dll
Scan saved at 4:55:35 PM, on 7/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\DESKTOP\AIEPK2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACK\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search05.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ilgpc.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyep.com/search/search05.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\NETZERO\QSACC\X1IEBHO.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [aiepk] C:\WINDOWS\DESKTOP\AIEPK2.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\INSTANT MESSENGER\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (HKCU)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {BF8AEBF6-0656-11d4-9EFF-00B0D011B1AE} (Communities.com TPV Support 01) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/ws1_x.cab
Delete these files or directories if they exist:
C:\WINDOWS\SYSTEM\cd_clint.dll
C:\WINDOWS\SYSTEM\POLALL1M.EXE
C:\WINDOWS\TEMP\alchem.cab
C:\WINDOWS\TEMP\djtopr1150.exe
C:\WINDOWS\abiuninst.htm
C:\WINDOWS\SYSTEM\POLALL1M.EXE
C:\WINDOWS\INF\ALCHEM.INF
C:\WINDOWS\INF\TWAINTEC.INF
C:\WINDOWS\INF\POLALL1R.INF
C:\WINDOWS\INF\BTGRAB.INF
C:\WINDOWS\INF\FARMMEXT.INF
C:\WINDOWS\SYSTEM32\randreco.exe
C:\WINDOWS\TEMP\ccu\comet.cab[csbho.dll]
C:\WINDOWS\TEMP\alchem.cab
C:\WINDOWS\TEMP\alchem.cab[alchem.inf]
C:\WINDOWS\TEMP\alchem.cab[alchem.exe]
C:\WINDOWS\TEMP\alchem.cab[alchem.ini]
C:\WINDOWS\TEMP\alchem.inf
C:\WINDOWS\TEMP\alchem.exe
C:\WINDOWS\TEMP\alchem.ini
C:\WINDOWS\TEMP\poltt.exe
C:\WINDOWS\TEMP\polmx.exe
C:\WINDOWS\TEMP\djtopr1150.exe
C:\WINDOWS\TEMP\twaintec.cab
C:\WINDOWS\TEMP\twaintec.cab[twaintec.inf]
C:\WINDOWS\TEMP\twaintec.cab[twaintec.dll]
C:\WINDOWS\TEMP\twaintec.cab[preInsTT.exe]
C:\WINDOWS\TEMP\twaintec.cab[polall1m.exe]
C:\WINDOWS\TEMP\twaintec.inf
C:\WINDOWS\TEMP\twaintec.dll
C:\WINDOWS\TEMP\preInsTT.exe
C:\WINDOWS\TEMP\polall1m.exe
C:\WINDOWS\TEMP\satmat.cab[satmat.inf]
C:\WINDOWS\TEMP\satmat.cab[satmat.exe]
C:\WINDOWS\TEMP\satmat.cab[satmat.ini]
C:\WINDOWS\TEMP\satmat.inf
C:\WINDOWS\TEMP\satmat.exe
C:\WINDOWS\TEMP\satmat.ini
C:\WINDOWS\TEMP\btgupg.exe
C:\WINDOWS\TEMP\DrTemp\mm_reco.exe
C:\WINDOWS\TEMP\randreco.exe
C:\WINDOWS\TEMP\btgrab.cab
C:\WINDOWS\TEMP\btgrab.cab[btgrab.inf]
C:\WINDOWS\TEMP\btgrab.cab[BTGrab.dll]
C:\WINDOWS\TEMP\btgrab.cab[polall1b.exe]
C:\WINDOWS\TEMP\btgrab.inf
C:\WINDOWS\TEMP\BTGrab.dll
C:\WINDOWS\TEMP\polall1b.exe
C:\WINDOWS\FARMMEXT.EXE
C:\WINDOWS\PREINSTT.EXE
C:\WINDOWS\ALCHEM.EXE
C:\WINDOWS\POLMX.EXE
C:\WINDOWS\TWAINTEC.DLL
C:\Program Files\Ebates
Run Hijack This and place a checkmark next to the following entries then click Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search05.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ilgpc.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yyep.com/search/search05.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m (HKCU)
Run activescan once again and let me know if there are any files that could not be removed by the scan. Please post a new HJT log when finished.
Logfile of HijackThis v1.99.1
Scan saved at 3:47:03 PM, on 7/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK\HIJACKTHIS.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\NETZERO\QSACC\X1IEBHO.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [aiepk] C:\WINDOWS\DESKTOP\AIEPK2.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\INSTANT MESSENGER\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {BF8AEBF6-0656-11d4-9EFF-00B0D011B1AE} (Communities.com TPV Support 01) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/ws1_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Activescan Log. I forgot to empty my recycle bin, so thats why some of those show up again I think. I did empty it after the scan since I saw some of them listed. I also deleted everything I could find on the list u told me to delete before.
Incident Status Location
Adware:adware/twain-tech No disinfected C:\WINDOWS\TWAINTEC.INI
Adware:adware/transponder No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ABI-1
Adware:adware/ieplugin No disinfected HKEY_CURRENT_USER\SOFTWARE\INTEXP
Adware:adware/btgrab No disinfected HKEY_CURRENT_USER\SOFTWARE\BTGRAB
Adware:adware/mbkwbar No disinfected HKEY_CURRENT_USER\SOFTWARE\MBKWBAR
Adware:adware/comet No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{FE6BC4EF-5676-484B-88AE-883323913256}
Adware:adware/topmoxie No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
Spyware:spyware/betterinet No disinfected HKEY_CLASSES_ROOT\TypeLib\{72892e8e-75df-4cd2-be11-e9a0077f44a8}
Adware:Adware/Transponder No disinfected C:\RECYCLED\DC1.EXE
Adware:Adware/IPInsight No disinfected C:\RECYCLED\DC3.INF
Adware:Adware/Twain-Tech No disinfected C:\RECYCLED\DC4.INF
Adware:Adware/Transponder No disinfected C:\RECYCLED\DC5.INF
Adware:Adware/BTGrab No disinfected C:\RECYCLED\DC6.INF
Adware:Adware/IPInsight No disinfected C:\RECYCLED\DC7.INF
Spyware:Spyware/BetterInet No disinfected C:\RECYCLED\DC8.EXE
Adware:Adware/IPInsight No disinfected C:\RECYCLED\DC9.EXE
Adware:Adware/Twain-Tech No disinfected C:\RECYCLED\DC11.EXE
Adware:Adware/IPInsight No disinfected C:\RECYCLED\DC12.EXE
Adware:Adware/Transponder No disinfected C:\RECYCLED\DC14.EXE
Adware:Adware/Twain-Tech No disinfected C:\RECYCLED\DC15.DLL
Adware:Adware/TopRebates No disinfected C:\RECYCLED\DC16\EbatesMoeMoneyMaker1.exe
Adware:Adware/TopMoxie No disinfected C:\RECYCLED\DC16\EbatesMoeMoneyMaker0.exe
Adware:Adware/TopRebates No disinfected C:\RECYCLED\DC16\disp350.exe
Adware:Adware/Imibar No disinfected C:\Hijack\backups\backup-20050723-164341-144.dll
Adware:Adware/BTGrab No disinfected C:\Hijack\backups\backup-20050723-164341-327.dll
I thank you so much for walking me though this. How bad is this on a scale of 1-10? like a 25?
Empty your recycle bin.
Delete these files or directories:
C:\WINDOWS\TWAINTEC.INI
Run Hijack This and fix these entries:
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\NETZERO\QSACC\X1IEBHO.DLL (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL (file missing)
If you are not planning on using netzero again delete the netzero directory.
Download Ad-Aware SE 1.06:
http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html
Save the setup file to a convenient location. Run the setup file and place a shortcut to Ad-Aware SE on your desktop. Update Ad-Aware with the latest definitions. Run a "full system scan" with Ad-Aware.
Run activescan once more. Post the results of the scan and a new Hijack this log when finished.
Ok, deleted the file, downloaded the new program, ran activescan, and a new HJT log attached. Thanks so much for you're time.
Incident Status Location
Adware:adware/transponder No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ABI-1
Adware:adware/ieplugin No disinfected HKEY_CURRENT_USER\SOFTWARE\INTEXP
Adware:adware/btgrab No disinfected HKEY_CURRENT_USER\SOFTWARE\BTGRAB
Adware:adware/mbkwbar No disinfected HKEY_CURRENT_USER\SOFTWARE\MBKWBAR
Adware:adware/twain-tech No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TWAINTECDLL.TWAINTECDLLOBJ.1
Adware:adware/comet No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{FE6BC4EF-5676-484B-88AE-883323913256}
Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}
Spyware:spyware/betterinet No disinfected HKEY_CLASSES_ROOT\TypeLib\{72892e8e-75df-4cd2-be11-e9a0077f44a8}
Adware:Adware/Imibar No disinfected C:\Hijack\backups\backup-20050723-164341-144.dll
Adware:Adware/BTGrab No disinfected C:\Hijack\backups\backup-20050723-164341-327.dll
Logfile of HijackThis v1.99.1
Scan saved at 2:33:02 PM, on 7/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK\HIJACKTHIS.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [aiepk] C:\WINDOWS\DESKTOP\AIEPK2.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\INSTANT MESSENGER\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {BF8AEBF6-0656-11d4-9EFF-00B0D011B1AE} (Communities.com TPV Support 01) - http://www.thepalace.com/TPV/CC_SUPPORT.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Follow the directories until you find the entry:
HKEY_CURRENT_USER\SOFTWARE\INTEXP
HKEY_CURRENT_USER\SOFTWARE\BTGRAB
HKEY_CURRENT_USER\SOFTWARE\MBKWBAR
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{FE6BC4EF-5676-484B-88AE-883323913256}. Be sure to match these numbers exactly before deletion.
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TWAINTECDLL.TW AINTECDLLOBJ.1
HKEY_CLASSES_ROOT\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}
HKEY_CLASSES_ROOT\TypeLib\{72892e8e-75df-4cd2-be11-e9a0077f44a8}
Make sure you can view all hidden files and Post a new Hijack This log. Also run activescan once more and let me know the results of the scan.