The Problem is MALWARE I think – Captured the Web Home Page, Constantly throws ip Sec

[Davidthesailor]

I hope this is not too long but I have tried to include as much information as possible. Thank you for your help I look forward to a solution.

The Problem is MALWARE I think – Captured the Web Home Page, Constantly throws ip Security Alerts, Appears to have installed an AV programme and Launches spurious warnings, System Sweeps and Cleaners which Lock the |PC until they are cleared. Alerts have included all sorts of virus titles including Blaster/Sasser, PSW.x-virus and more.

Macafee security scan does not identify any virus present on the system.

Symptoms and Effects.

On booting yesterday a programme had captured my home page - and launched a ‘about blank’ page instead of Orange.co.uk. This then became Windows Antivirus 2008 page, a programme installed itself and appeared to run an scan of the PC. This then popped up the results and a long list of viruses. In a panic I ran my Macafee Security Suit Scan.

This ran very slowly stopping when additional pop-ups appeared about every 3 minutes. At first I started to add the addresses to the blocked list but that generated similar pages with marginally different titles. Each time they launch there are subtle differences.

Macafee is up to date and when the scan finished reported no problems. I searched the web for assistance with the difficulty of frequently when going to anti spyware sites from google searches completely different pages were launched – mostly of an unsavoury nature.

Each time the Microsoft Antivirus Warning comes up I select ‘continue without protection.

I looked at the Task Manager Programmes Running and noticed that several programmes reported in other blogs were present and that most tasks could not be terminated these included
Aavsetup.exe
Iebtm.exe
Iebtmm.exe
wav.exe
wcs.exe
wcm.exe
svchost.exe – eight versions
In all between 66 amd 75 processes with CPU useage running from 10% to 100% even when not doing any processing and only word and IE running.

The IE Tool Bar has also been captured with a new Security Toolbar 7.1 set of functions which cannot be switched off (right click etc) and which have no functionality.

I reverted to the laptop to investigate further.

On re bootint the PC today several unexpected alerts kept flashing up including a MS warning
That WMI programme was being shut down to protect the computer, then the same message for wsc and iebtm programmes. The PC launched the internet and I was again into the Windows Antivirus 2008 capture which has gone on all day.

Despite the interruption I have achieved steps 1 -5 downloaded and installed Spyware Blaster and IE-spyad. I have also run Panda Active Scan which took over 3 hours with the interruptions.

I have attached the corresponding report file title David Active Scan without text wrap hope this is how it should look..

Panda Scan.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-12 15:19:37
PROTECTIONS: 2
MALWARE: 11
SUSPECTS: 5
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee Internet Security Suite 2007 8.1 No Yes
McAfee VirusScan Plus 12.1 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029426 adware/sbsoft Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{9D573D0E-663C-435F-BF31-2C4497373C41}
00139535 Application/Processor HackTools No 0 No No C:\Program Files\Tool 2\VirtumundoBeGone.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\Tool 1\SmitfraudFix.zip[SmitfraudFix/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\Tool 1\SmitfraudFix\SmitfraudFix\Process.exe
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ewing Consultants\Cookies\ewing_consultants@com[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LocalService\Cookies\system@go[1].txt
00213030 application/regclean32 HackTools No 0 Yes No c:\documents and settings\ewing consultants\application data\registry cleaner
00213030 application/regclean32 HackTools No 0 Yes No hkey_current_user\software\registry cleaner
00213191 dialer.dgi Dialers No 0 Yes No c:\program files\mpb
00214029 Application/SpyFighter HackTools No 0 No No C:\WINDOWS\Installer\8774c.msi[unk_0039][_4E35B2A5BB195D576D9116B6A5C294E2]
00250688 Application/SpyFighter HackTools No 0 No No C:\WINDOWS\Installer\8774c.msi[unk_0039][_4B102BDF37E42E1B49F662808E1821FD]
00519333 Application/Processor HackTools No 0 Yes No C:\Program Files\Tool 2\VirtumundoBeGone.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Program Files\Tool 1\SmitfraudFix\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Program Files\Tool 1\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
03227948 Adware/Xpantivirus2008 Adware Yes 0 Yes No C:\Program Files\Web Technologies\wcs.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
No C:\Program Files\Web Technologies\iebtmm.exe 
No C:\WINDOWS\system32\ubpr01.exe 
No c:\windows\system32\ubpr01.exe 
No C:\Program Files\Web Technologies\iebtmm.exe 
No C:\WINDOWS\system32\ubpr01.exe 
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;===================================================================================================================================================================================

[Davidthesailor]

BUMP please.
I can see from the number of posts that this is very busy and so many questions but I would really appreciate your help as soon as possible.
Thank you
David

[tetonbob]

Hello, David -

Step 5 of our pre-posting sticky topic would also have you do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

[Davidthesailor]

Thank you for the instriuctions here are the results.I noted when I connected to the internet following the scan I got another "Security Warning which invited me to download Adobe Flash Player" I closed the warning without down loading. This has not happened before and I have overcome the continual pop ups and warnings by rolling back to a restore point before the original imfections.

Here is the Main Text from DSS
Deckard's System Scanner v20071014.68
Run by Ewing Consultants on 2008-07-19 17:48:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2008-07-19 16:48:35 UTC - RP464 - Deckard's System Scanner Restore Point
38: 2008-07-18 14:32:43 UTC - RP463 - System Checkpoint
37: 2008-07-17 07:30:14 UTC - RP462 - System Checkpoint
36: 2008-07-15 14:53:08 UTC - RP461 - System Checkpoint
35: 2008-07-13 13:10:16 UTC - RP460 - Restore Operation


-- First Restore Point --
1: 2008-06-03 21:38:39 UTC - RP426 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Ewing Consultants.exe) -----------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-19 17:51:15
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Maxtor\ManagerApp\OneTouch.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Ewing Consultants\Desktop\Deckards system scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Update Helper - {A4CC8907-3EA6-49EE-8B74-D09660120910} - C:\Program Files\Google\Update\1.2.121.9\GoopdateBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Yahoo! Autosync.lnk = C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...OGAControl.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bi...datePortal.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) -
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.211.133.190/activex/AxisCamControl.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeup...tent/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/70efdf/games...ploader_v6.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{15A841EE-A339-4D11-9127-01B7DDF958D5}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Update Service (gupdate1c8c62287c4b564) (gupdate1c8c62287c4b564) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: MaxSyncService (NTService1) - Unknown owner - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe


--
End of file - 13223 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 eusk2par (EUTRON SmartKey Parallel Driver) - c:\windows\system32\drivers\eusk2par.sys <Not Verified; EUTRON; Smartkey>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>

S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Iap - "c:\program files\dell\openmanage\client\iap.exe" <Not Verified; Dell Inc; OpenManage Client Instrumentation>
R2 MaxBackServiceInt - "c:\program files\maxtor\maxtor backup\maxbackserviceint.exe" <Not Verified; ; MaxBackServiceInt Module>
R2 NTService1 (MaxSyncService) - "c:\program files\maxtor\utils\syncservices.exe" <Not Verified; ; SyncServices>
R2 UPHClean (User Profile Hive Cleanup) - c:\program files\uphclean\uphclean.exe <Not Verified; Microsoft Corporation; User Profile Hive Cleanup Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Network Controller
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_70011799&REV_03\4&1C660DD6&0&00F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_70011799&REV_03\4&1C660DD6&0&00F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-07-19 11:26:36 416 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{646B357C-BBB1-40EC-94AE-2DE5AC400F2D}.job
2008-07-19 09:13:36 296 --a------ C:\WINDOWS\Tasks\GoogleUpdateTask.job
2008-07-13 15:30:03 374 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-01-01 02:00:50 380 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-06-19 and 2008-07-19 -----------------------------

2008-07-14 14:27:39 170256 --a------ C:\WINDOWS\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:39 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:39 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:39 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-07-14 14:27:38 313856 --a------ C:\WINDOWS\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-07-14 14:27:31 113 --a------ C:\WINDOWS\system32\zonedon.reg
2008-07-14 14:27:31 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2008-07-14 14:27:31 152848 --a------ C:\WINDOWS\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:31 256272 --a------ C:\WINDOWS\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:30 21264 --a------ C:\WINDOWS\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:30 933136 --a------ C:\WINDOWS\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:30 153872 --a------ C:\WINDOWS\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:29 158992 --a------ C:\WINDOWS\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:29 15120 --a------ C:\WINDOWS\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:29 364304 --a------ C:\WINDOWS\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:29 34576 --a------ C:\WINDOWS\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:28 188176 --a------ C:\WINDOWS\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-14 14:27:27 49424 --a------ C:\WINDOWS\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-13 14:12:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-13 14:12:08 0 d-------- C:\Program Files\Kontiki
2008-07-12 17:26:49 0 d-------- C:\Program Files\Trend Micro
2008-07-12 10:53:45 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-07-11 12:09:22 0 d-------- C:\Program Files\Panda Security
2008-07-11 11:38:49 0 d-------- C:\ie-spyad_zo
2008-07-11 11:34:19 0 d-------- C:\Program Files\IE Spyad
2008-07-11 11:22:52 0 d-------- C:\Program Files\SpywareBlaster
2008-07-11 08:45:06 0 d-------- C:\Program Files\WAV
2008-07-10 10:46:23 10498048 --a------ C:\Documents and Settings\Ewing Consultants\ntuser.dat
2008-07-06 10:26:19 0 d-------- C:\logs3


-- Find3M Report ---------------------------------------------------------------

2008-07-19 09:13:47 0 d-------- C:\Program Files\McAfee
2008-07-14 13:38:45 0 d-------- C:\Documents and Settings\Ewing Consultants\Application Data\OfficeUpdate12
2008-07-13 15:04:09 0 d-------- C:\Program Files\QuickTime
2008-07-13 14:11:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 17:24:48 0 d-------- C:\Program Files\Highjackthis
2008-07-11 13:40:39 0 d-------- C:\Program Files\Lavasoft
2008-07-09 08:44:11 571392 --a------ C:\Program Files\MS Money.mny
2008-07-01 09:46:41 0 d-------- C:\Documents and Settings\Ewing Consultants\Application Data\Help
2008-06-26 11:55:14 0 d-------- C:\Program Files\Google
2008-06-21 22:38:14 0 d-------- C:\Documents and Settings\Ewing Consultants\Application Data\SiteAdvisor
2008-06-15 16:41:53 0 d-------- C:\Program Files\Maxtor
2008-06-15 14:50:43 0 d-------- C:\Documents and Settings\Ewing Consultants\Application Data\AutoSync for Yahoo
2008-06-15 14:49:28 0 d-------- C:\Program Files\Common Files
2008-06-15 14:49:28 0 d-------- C:\Program Files\Common Files\Intellisync
2008-06-15 14:49:27 0 d-------- C:\Program Files\Yahoo!
2008-05-23 09:07:04 0 d-------- C:\Program Files\SiteAdvisor


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
26/11/2007 10:46 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4CC8907-3EA6-49EE-8B74-D09660120910}]
15/07/2008 10:23 184816 --a----t- C:\Program Files\Google\Update\1.2.121.9\GoopdateBho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [26/01/2004 11:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [19/11/2001 15:54]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 03:50]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 10:36]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [08/01/2007 12:22]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [09/02/2007 05:37]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [08/05/2007 16:24]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [11/08/2006 08:45]
"@"="" []
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [11/08/2006 11:15]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03/08/2007 23:33]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [30/11/2007 05:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 20:05]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [27/02/2008 17:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [08/04/2005 14:15:48]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [15/03/2005 21:15:44]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [04/11/2004 20:28:24]
Yahoo! Autosync.lnk - C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [21/08/2007 14:28:52]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost #***Inserted By STOPzilla***
127.0.0.1 0websearch.com # ***Inserted By STOPzilla***
127.0.0.1 2005-search.com # ***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 absolutepics.net # ***Inserted By STOPzilla***
127.0.0.1 ad.yieldmanager.com # ***Inserted By STOPzilla***
127.0.0.1 alex.fileburst.com # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***

149 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-19 17:52:30 ------------

[Davidthesailor]

I could not find the manage attachments and realised I had used the Quick Reply Format. Here is the uploaded "extra file from my DSS analysiss.

Sorry for the inconvenience.
David

[tetonbob]

Hi -

When did you perform the Restore? Before all these logs were taken, or after the original post? It would seem after the original post.

35: 2008-07-13 13:10:16 UTC - RP460 - Restore Operation

By doing so, it can alleviate your symptoms, but makes my attempts at assistance a bit more difficult.

Do these folders/files still exist?

C:\Program Files\Web Technologies
c:\program files\mpb
c:\windows\system32\ubpr01.exe
C:\WINDOWS\Installer\8774c.msi

If so, delete them. If you have troubles with that, let me know.

I see no active malware in the current logs. Are you still having issues?

[Davidthesailor]

Thank you - I realised that the roll back would not cure any problem and that the files may remain on the computer; however it did allow me to continue to use the PC until I had the benefit of help.

In response to your questions -
1. When did you perform the Restore? Yes the restore as done after the original attempt to follow the 5 steps and after the Panda Download and contacting you via post 1.

35: 2008-07-13 13:10:16 UTC - RP460 - Restore Operation

2. Do these folders/files still exist? Searched manually and with the MS searc tool

C:\Program Files\Web Technologies No signs of this. c:\program files\mpb This file was located and deleted - it is currently in the recycle bin. c:\windows\system32\ubpr01.exe No signs of this.

C:\WINDOWS\Installer\8774c.msi No signs of this.

This morning I tried to reinstate the PC to the 11th, 12th, or 13th July using system restore. On each occasion I was informed that 'System Can not be Restored'. I had hoped to recerate the conditions and run DSS again.

As far as the original problems are concerned I am not seeing any of the pop ups, warnings etc, nor am I getting all the ads inviting me to buy anti spyware etc which plagued the machine every 30 seconds or so and prevented all other activity and bought up all the processing speed. The only unusual event was the security alert to install Adobe Flash Player which I recieved when I rebooted following the DSS scan yesterday.

All this will not make your job any easier but continue to appreciate your time and effort. Should I delet the mpb file from Recycle Bin? Any further advice will be much appreciated.
David

[tetonbob]

Please do not take any more steps of self-help while we're working together, if you want my continued assistance. Trying to go back to a possibly infected restore point? Why would you do that? Please only act on what I've posted.

Yes, empty the Recycle Bin.

Let's run a cursory scan with an antimalware tool.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

[Davidthesailor]

Thank you for continued help, no I was not trying toto take more steps however the tone of your previous reply suggested that the change in the restore point may help and provide more clues to resolution. Sory the aim was to try and give a view of the system as it was at the time and to the uninitiatted this would seem to have some relevance.

1. Recycle bin emptied.
2. Malwarebytes full scan run; All items checked and 'Remove Selected activated.
3.Notepad Log save there was no requirement from the programme to re-boot.
4 You ddid not say wheteher I should copy amd paste the results or attach the file so I have done both. Pasted result below, file attached, I remain very grateful for your continued support
David:

Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 3

14:36:42 21/07/2008
mbam-log-7-21-2008 (14-36-42).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 182902
Time elapsed: 3 hour(s), 50 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c51f7e9-8542-4f25-a30f-2060157752e1} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9d573d0e-663c-435f-bf31-2c4497373c41} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Eeshellx.ShellExt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seekmo programs (Adware.Seekmo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Evidence Eliminator (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\WAV (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP460\A0074778.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP465\A0075320.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP466\A0075677.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP467\A0076031.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\config.dat (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\drives.txt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\files.txt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\folders.txt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\IEcookieskeep.txt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\NSN4cookieskeep.txt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\Evidence Eliminator\Data\scanmasks.txt (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\WAV\wav0.dat (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\WAV\wav1.dat (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\_DelItB.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ewing Consultants\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ewing Consultants\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ewing Consultants\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ewing Consultants\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ewing Consultants\Favorites\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.