Pop-up problems

jonas20h · 05-21-2006, 06:39 PM

After running two pop-up blockers, Ad-Aware, CWShredder, and Spybot I still have constant pop-up problems. I get constant ads from these to mention a few:
adexit.de
google (this one surprised me)
search the web
search UK search
Vonage
worlds No. 1 online casino - 888.com

Can someone please take a look at my log and help me find out why these are getting past the blockers?

Thanks,

Logfile of HijackThis v1.99.1
Scan saved at 6:21:08 PM, on 5/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\xload.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.consumeralertsystem.com/c...317307&pid=103
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C900343-9DF7-C624-868F-CC69418AD89F} - C:\WINDOWS\System32\eqgv.dll (file missing)
O2 - BHO: (no name) - {6E980E3C-C673-A075-B1F5-362B3F4B5ADB} - C:\WINDOWS\Jjaskafh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {D7D01A2E-63ED-6927-0DE3-6B559D0F8C5D} - C:\WINDOWS\Jjaskafh.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.sxload.com
O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131822988625
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - ms-its:mhtml:file://c:\nosunem.mht!http://daemonlinks.net/script/mm.chm::/joysaver.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: pptp32 - pptp32.dll (file missing)
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

tetonbob · 05-22-2006, 09:15 AM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

You have a few nasties on your system. First, we need to gather some information.

Download & install - HaxFix.EXE.
During installation, please select these options:

Create a desktop icon
Launch HaxFix

When Haxfix starts, a red DOS window will open.
Select the option to - Make logfile - Type 1 & press`Enter'.
Haxfix will produce a log for you to post back here.

jonas20h · 05-22-2006, 07:27 PM

Thanks for the help. I think this is the log file as you requested.

HAXFIX logfile - by Marckie
--------------
version 2.42
Mon 05/22/2006 19:24:12.39

checking for a3d files....
a3d files not found

checking for matching notify keys....
matching notify keys found
pptp

checking for matching services....
matching services found
pptp32
pptp64

checking for matching safeboot services....
matching safeboot services found
pptp32.sys
pptp64.sys

tetonbob · 05-22-2006, 09:57 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please close all other open windows as this requires a reboot.

Locate on your desktop and launch Haxfix.bat & select option - Run auto fix - Type 2 & press`Enter'
If an infection is found, the computer will reboot & produce another log. Post the contents of that log at the end of this fix.

---------------------------------------------------------------------------------------------

Download Ewido Anti-Malware

Install Ewido Anti-Malware
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

E2G

---------------------------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.consumeralertsystem.com/c...317307&pid=103
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {6C900343-9DF7-C624-868F-CC69418AD89F} - C:\WINDOWS\System32\eqgv.dll (file missing)
O2 - BHO: (no name) - {6E980E3C-C673-A075-B1F5-362B3F4B5ADB} - C:\WINDOWS\Jjaskafh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Search - {D7D01A2E-63ED-6927-0DE3-6B559D0F8C5D} - C:\WINDOWS\Jjaskafh.dll (file missing)
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - Startup: PowerReg Scheduler.exe
O15 - Trusted Zone: *.sxload.com
O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - ms-its:mhtml:file://c:\nosunem.mht!http://daemonlinks.net/script/mm.chm::/joysaver.cab
O20 - Winlogon Notify: pptp32 - pptp32.dll (file missing)

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------

Delete the following Files/Folders if they exist:

C:\Program Files\E2G
C:\WINDOWS\xload.exe
C:\WINDOWS\wdskctl.exe

---------------------------------------------------------------------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

haxfix
Ewido
Panda
HJT

jonas20h · 05-28-2006, 10:04 PM

OK. I think I have done all these and here are the accompanying logs.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9

21 PM, 5/28/2006
+ Report-Checksum: 582EFA4E

+ Scan result:

HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Cleaned with backup
HKU\S-1-5-21-829923665-265014133-1663686664-1003\Software\dsktb -> Adware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-829923665-265014133-1663686664-1003\Software\dsktb\DesktopToolbar -> Adware.IEPlugin : Cleaned with backup
C:\command.exe -> Dropper.Delf.ev : Cleaned with backup
C:\Program Files\Common Files\Oem Common\robj1.dll -> Adware.Nomeh : Cleaned with backup
C:\Program Files\Common Files\WinSoftware\FCrXML.dll -> Adware.Winfixer : Cleaned with backup
C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll -> Adware.Nomeh : Cleaned with backup
C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe -> Adware.Nomeh : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Adware.Pacer : Cleaned with backup
C:\Program Files\Yahasoft\Cache\000018d7_43a509bd_000baeb9 -> Not-A-Virus.Exploit.Win32.MS05013 : Cleaned with backup
C:\Program Files\Yahasoft\Cache\00005772_4435ff74_00031975 -> Not-A-Virus.Exploit.Win32.MS05013 : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1006.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1010.txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1016.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1040.txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1068.txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1069.txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1096.txt -> TrackingCookie.Enigmasoftwaregroup : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1154.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1292.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1330.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1331.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1392.txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1414.txt -> TrackingCookie.Yadro : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1423.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1425.txt -> TrackingCookie.Adserver : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1430.txt -> TrackingCookie.Zedo : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc147.txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc148.txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc149.txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc159.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc174.txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc175.txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc176.txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc181.txt -> TrackingCookie.Bpath : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc183.txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc210.txt -> TrackingCookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc255.txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc298.txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc311.txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc314.txt -> TrackingCookie.Enhance : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc338.txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc373.txt -> TrackingCookie.Cliks : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc409.txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc451.txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc468.txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc496.txt -> TrackingCookie.Aavalue : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc502.txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc578.txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc579.txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc580.txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc676.txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc697.txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc789.txt -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc806.txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc807.txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc829.txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc836.txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc839.txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc861.txt -> TrackingCookie.Revenue : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc903.txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc929.txt -> TrackingCookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc954.txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc962.txt -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc963.txt -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc965.txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc988.txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\WINDOWS\180ax.exe -> Adware.180Solutions : Cleaned with backup
C:\WINDOWS\876056.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\OTXMedia.dll -> Adware.OTX : Cleaned with backup
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup

::Report End

--------------------------------------------------------------------------
Panda Scan Report

Incident Status Location

Adware:adware program Not disinfected c:\windows\system32\key.~
Adware:adware/favoriteman Not disinfected c:\windows\downloaded program files\ATPartners.inf
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.8-2.inf
Adware:adware/localnrd Not disinfected c:\windows\inf\addremln.inf
Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf
Adware:adware/ipinsight Not disinfected c:\windows\inf\conscorr.inf
Adware:adware/oemji Not disinfected C:\Documents and Settings\Owner\Application Data\defaultgood.wl
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
Spyware:spyware/betterinet Not disinfected c:\windows\Buddy.exe
Adware:adware/wintools Not disinfected c:\windows\hisistheurls.exe
Spyware:spyware/media-motor Not disinfected c:\windows\ubber60.ini
Adware:adware/ezula Not disinfected c:\windows\woinstall.exe
Adware:adware/addestroyer Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\AdDestroyer
Adware:adware/portalscan Not disinfected c:\program files\common files\Slmss
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\program files\common files\WinSoftware
Dialer:dialer generic Not disinfected c:\program files\dialers
Adware:adware/imgiant Not disinfected c:\program files\joystick networks
Potentially unwanted tool:application/myway Not disinfected c:\program files\MySearch
Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyWebSearch
Adware:adware/cws Not disinfected C:\Documents and Settings\Owner\Favorites\-Autos-
Adware:adware/elitebar Not disinfected C:\Documents and Settings\Owner\Favorites\Finances & Business
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Owner\Application Data\Registry Cleaner
Adware:adware/dyfuca Not disinfected c:\windows\STWSI
Adware:adware/savenow Not disinfected c:\documents and settings\all users\application data\nsv
Adware:adware/virtualbouncer Not disinfected c:\documents and settings\all users\application data\VBouncer
Adware:adware/delfinmedia Not disinfected c:\documents and settings\all users\application data\vidctrl
Adware:adware/e2give Not disinfected Windows Registry
Adware:adware/powerscan Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/upspiralbar Not disinfected Windows Registry
Spyware:spyware/adclicker Not disinfected Windows Registry
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Application Data\rawh\ctxad-247.0000[NDrv.dll]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Application Data\rawh\ctxad-250.0000[NDrv.dll]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
--------------------------------------------------------------------------
HAXFIX logfile - by Marckie
--------------
version 2.42
Sun 05/28/2006 22:00:41.79

checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
no matching services found

checking for matching safeboot services....
no matching safeboot services found

------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:04:17 PM, on 5/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131822988625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

tetonbob · 05-29-2006, 09:12 AM

Create an uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

jonas20h · 06-02-2006, 07:02 PM

OK I have the list. I am sorry it is a few days between posts but this is a friends computer and I am trying to get to it when I can.

Thanks again for your help!

Uninstall manager list:

Ad-Aware SE Personal
Adobe Photoshop Album Starter Edition
Adobe Reader 7.0.7
ccCommon
CleanUp!
Compaq Connections
Compaq Organize
ContextPlus
ewido anti-malware
Free PS Convert driver
Google Earth
Google Toolbar for Internet Explorer
HaxFix 2.42
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
HumanConcepts OrgPlus 6
HumanConcepts OrgPlus 6 Plugin
Instant Support
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
Internet Worm Protection
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
KBD
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
MUSICMATCH® Jukebox
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SCSSDist MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
NVIDIA Ethernet Driver
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
OLYMPUS CAMEDIA Master 4.1
OmniPass
Panda ActiveScan
Personal Ancestral File 5
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickBooks Pro 2005
Quicken 2003 New User Edition
QuickTime
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
SPBBC
Spybot - Search & Destroy 1.3
Symantec
Symantec Script Blocking Installer
SymNet
Trivial Pursuit Millennium Edition
TurboTax 2005
TurboTax ItsDeductible 2005
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Viewpoint Media Player (Remove Only)
Weblink
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Word to PDF Converter 3.0

tetonbob · 06-02-2006, 09:29 PM

I understand about how helping a friend can take some time, but the truth is the longer you leave this system in this manner, the better chance of reinfection. Hopefully we can get most of it in this next round. This will take a while, as this system had been riddled with adware and infectious files, but we can get it clean.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 /u occache.dll

Delete these if present:

c:\windows\system32\key.~
c:\windows\downloaded program files\ATPartners.inf
c:\windows\downloaded program files\f3initialsetup1.0.0.8-2.inf
c:\windows\inf\addremln.inf
c:\windows\inf\alchem.inf
c:\windows\inf\conscorr.inf
C:\Documents and Settings\Owner\Application Data\defaultgood.wl
C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
c:\windows\Buddy.exe
c:\windows\hisistheurls.exe
c:\windows\ubber60.ini
c:\windows\woinstall.exe
C:\Documents and Settings\Owner\Start Menu\Programs\AdDestroyer
c:\program files\common files\Slmss
c:\program files\common files\WinSoftware
c:\program files\dialers
c:\program files\joystick networks
c:\program files\MySearch
c:\program files\MyWebSearch
C:\Documents and Settings\Owner\Favorites\-Autos-
C:\Documents and Settings\Owner\Favorites\Finances & Business
C:\Documents and Settings\Owner\Application Data\Registry Cleaner
c:\windows\STWSI
c:\documents and settings\all users\application data\nsv
c:\documents and settings\all users\application data\VBouncer
c:\documents and settings\all users\application data\vidctrl
C:\Documents and Settings\Owner\Application Data\rawh\ctxad-247.0000[NDrv.dll]
C:\Documents and Settings\Owner\Application Data\rawh\ctxad-250.0000[NDrv.dll]

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 occache.dll

---------------------------------------------------------------------------------------------

Please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode.

Also please do this:

We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code.

Updating Java:

Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

---------------------------------------------------

The version of Spybot Search and Destroy is not the latest version. I recommend you uninstall the existing version, and do this:

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

---------------------------------------------------

Also make sure AdawareSE is the latest version, it should say Build 1.06 in the lower right corner. If it's not, uninstall it, and download the newest version here, update to the latest definitions, and run a full system scan.

---------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

AproposFix ( log.txt file in the aproposfix folder)
Kaspersky
HJT

How is the system behaving now, please?

jonas20h · 06-11-2006, 10:27 PM

OK. I have gone through and finished these steps as best I can. I will make myself available to work to get to these problems every night until we have it clean now if I have to.

The only problem I ran accross with these instructions was that I got a funny reply when I tried to run regsvr32 /u ocache.dll . The message was:
DllunregisterServer is occache.dll succeeded.
I wasn't able to delete any of the files you listed.

So far it seems like the computer has less pop-ups now, but it did crash for a few hours this week.

Here are the logs:

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Owner\Desktop\My Downloads\aproposfix

************
Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C0ThFAx3ees9]
@="z4MikxqUVVUVVWV vlMQQ7UVVUkXV0qvlw0 VMSMN8GbaV7LCP8LMVGIOCI7LPWMSM"
"Device"="\\\\.\\SNDswwd"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\mouiodrv.sys"
"DriverName"="RasACPI"
"HideUninstallerName"="C:\\Program Files\\Yahasoft\\basrtdll.exe"
"UninstallerPath"="C:\\WINDOWS\\System32\\adpsuser.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{2E7E374F-7B91-4488-980B-E14A89B0A9FC}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\msdrsm.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X7d0ec51-44f1-1eaf-46ad-ad1bf52282fb}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Yahasoft\\lsa0_qcx.exe"
--
[HKEY_LOCAL_MACHINE\Software\C0ThFAx3ees9]
@="z4MikxqUVVUVVWV vlMQQ7UVVUkXV0qvlw0 VMSMN8GbaV7LCP8LMVGIOCI7LPWMSM"
"Device"="\\\\.\\SNDswwd"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\mouiodrv.sys"
"DriverName"="RasACPI"
"HideUninstallerName"="C:\\Program Files\\Yahasoft\\basrtdll.exe"
"UninstallerPath"="C:\\WINDOWS\\System32\\adpsuser.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{2E7E374F-7B91-4488-980B-E14A89B0A9FC}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\msdrsm.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X7d0ec51-44f1-1eaf-46ad-ad1bf52282fb}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Yahasoft\\lsa0_qcx.exe"

************

Removing hidden service:
Service RasACPI removed.

Removing hidden folder:

------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, June 11, 2006 10:14:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 12/06/2006
Kaspersky Anti-Virus database records: 199907
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 132732
Number of viruses found: 117
Number of infected objects: 470
Number of suspicious objects: 0
Duration of the scan process: 01:49:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Owner\Desktop\My Downloads\aproposfix\backups\ace.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\Owner\Desktop\My Downloads\aproposfix\backups\basrtdll.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\Owner\Desktop\My Downloads\aproposfix\backups\lsa0_qcx.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Documents and Settings\Owner\Desktop\My Downloads\aproposfix\backups\WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.tmp/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.tmp/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.tmp/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.tmp ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.tmp CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\005B01C2.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0095178F.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\00ED07A5.exe Infected: Trojan-Dropper.Win32.Agent.abb skipped
C:\Program Files\Norton AntiVirus\Quarantine\00F45B9D.exe Infected: Trojan-Downloader.Win32.Pacer.k skipped
C:\Program Files\Norton AntiVirus\Quarantine\00FA2F96.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e skipped
C:\Program Files\Norton AntiVirus\Quarantine\00FA2F96.exe NSIS: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\00FA2F96.exe CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\00FD5993.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\015925DA.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\0337151A.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\038C5662.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\039D0B21.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\039D0B21.tmp Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\04503D80.tmp Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\05D633C9.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\069A0AF1.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\072663C4.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\08A70BCE.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\08A70BCE.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\08A70BCE.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\08A70BCE.jar ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\08A70BCE.jar CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D5830BB.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D5830BB.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D5830BB.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D5830BB.jar ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D5830BB.jar CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D7C5A8F.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D7C5A8F.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D7C5A8F.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0D7C5A8F.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\0E4635BF.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\0F2E4720.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\0FB8453D.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\12EC5E3E.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.x skipped
C:\Program Files\Norton AntiVirus\Quarantine\133465AB.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\133E3AEE.sys Infected: Backdoor.Win32.Haxdoor.hx skipped
C:\Program Files\Norton AntiVirus\Quarantine\13B4183B.dll Infected: Backdoor.Win32.Haxdoor.hx skipped
C:\Program Files\Norton AntiVirus\Quarantine\13BB6C34.sys Infected: Backdoor.Win32.Haxdoor.hx skipped
C:\Program Files\Norton AntiVirus\Quarantine\13BE1630.sys Infected: Backdoor.Win32.Haxdoor.hx skipped
C:\Program Files\Norton AntiVirus\Quarantine\13EA072C.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\14382A48.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\147A3E8E.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\18411D47.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\191261E6.tmp Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\1A580D17.exe Infected: not-a-virus:AdWare.Win32.WinAD.at skipped
C:\Program Files\Norton AntiVirus\Quarantine\1ABE031F.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C146DDC.cab/MediaPassX.dll Infected: not-a-virus:AdWare.Win32.WinAD.w skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C146DDC.cab CAB: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C146DDC.cab CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C1A41D5.cab/mm83.ocx Infected: Trojan-Downloader.Win32.VB.ov skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C1A41D5.cab CAB: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C1A41D5.cab CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C1A41D5.dll Infected: not-a-virus:AdWare.Win32.WinAD.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C1A41D5.exe Infected: Trojan-Downloader.Win32.IstBar.mz skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C1E6BD2.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C2769C7.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C757018.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C896C02.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C8C15FE.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E7D1A3D.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\1F616F43.tmp Infected: Backdoor.Win32.Prosiak.070 skipped
C:\Program Files\Norton AntiVirus\Quarantine\21C12712.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\21C4510E.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\21CB2507.exe Infected: not-a-virus:AdWare.Win32.MDH.e skipped
C:\Program Files\Norton AntiVirus\Quarantine\21D27900.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\21D522FC.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\21D84CF8.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\21DB76F5.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\21DF20F1.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\21E574EA.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\21EC48E3.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\22416425.exe Infected: Trojan-Downloader.Win32.Agent.xh skipped
C:\Program Files\Norton AntiVirus\Quarantine\229174A6.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\247D22ED.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\25366873.IE5 Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\2539126F.sys Infected: Trojan.Win32.Kolweb.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\253B261D.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\253C3C6B.sys Infected: Trojan.Win32.Kolweb.b skipped
C:\Program Files\Norton AntiVirus\Quarantine\253F6668.exe Infected: Trojan-Downloader.Win32.Delf.go skipped
C:\Program Files\Norton AntiVirus\Quarantine\253F6668.tmp Infected: Trojan-Downloader.Win32.Delmed.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\25431064.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\25463A61.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\2549645D.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\254D0E59.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\25503856.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\25536252.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\25560C4F.dll Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\255A364B.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\255A364B.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\255A364B.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\255A364B.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\25600A44.dll Infected: not-a-virus:AdWare.Win32.ImiBar.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\25600A44.exe Infected: Trojan-Downloader.Win32.Intexp.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\25633440.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\25633440.tmp/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\Program Files\Norton AntiVirus\Quarantine\25633440.tmp WiseSFX: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\25633440.tmp CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\25675E3D.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aj skipped
C:\Program Files\Norton AntiVirus\Quarantine\256A0839.exe Infected: Trojan-Dropper.Win32.Agent.xe skipped
C:\Program Files\Norton AntiVirus\Quarantine\256A0839.tmp Infected: Trojan-Downloader.Win32.Small.wk skipped
C:\Program Files\Norton AntiVirus\Quarantine\256D3236.cab/installer_PIVOTAL_5_DB.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\Program Files\Norton AntiVirus\Quarantine\256D3236.cab/installer_PIVOTAL_5_DB.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\Program Files\Norton AntiVirus\Quarantine\256D3236.cab/installer_PIVOTAL_5_DB.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\Program Files\Norton AntiVirus\Quarantine\256D3236.cab CAB: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\256D3236.cab CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\256D3236.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\256D3236.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\25705C32.dll Infected: not-a-virus:AdWare.Win32.WinAD.ak skipped
C:\Program Files\Norton AntiVirus\Quarantine\25705C32.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\2574062E.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\2577302B.dll Infected: not-a-virus:AdWare.Win32.BHO.ad skipped
C:\Program Files\Norton AntiVirus\Quarantine\2577302B.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.k skipped
C:\Program Files\Norton AntiVirus\Quarantine\257A5A27.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\25812E20.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\25820AAB.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\25CF44AF.tmp Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\25E84916.dll Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\264E3F1D.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.aq skipped
C:\Program Files\Norton AntiVirus\Quarantine\26A30066.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\271760ED.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\271F6D19.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\271F6D19.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\271F6D19.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\271F6D19.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\271F6D19.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\274D38E6.tmp/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\274D38E6.tmp/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\274D38E6.tmp/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\274D38E6.tmp ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\274D38E6.tmp CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\27A849FC.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\287A4735.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\299446C5.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\2A0D563C.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\2A0D563C.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\2A0D563C.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\2A0D563C.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\2A272824.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\2B4B46F6.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\2DC54546.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\2E794A80.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F396EF3.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F6149C2.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F660C5B.tmp Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\2FBC0EA1.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\30224814.exe Infected: Backdoor.Win32.Haxdoor.hx skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.tmp/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.tmp/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.tmp/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.tmp ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.tmp CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\30A06F83.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\31780514.exe Infected: Trojan-Dropper.Win32.Agent.xe skipped
C:\Program Files\Norton AntiVirus\Quarantine\31852043.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F65AF.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\31B21337.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\32533CD8.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\35410EDF.tmp Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\36684DC5.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\36914516.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\371C52FF.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\38A17C04.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A865866.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A865866.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A865866.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A865866.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3BE676A2.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\3C6928E5.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D094113.exe Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D20581C.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D6F371B.exe/dsr.dll Infected: not-a-virus:AdWare.Win32.ImiBar.h skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D6F371B.exe CAB: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D6F371B.exe MimarSinan: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D6F371B.exe UPX: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D6F371B.exe CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3D7A12EA.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\3DC47863.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E796D04.exe/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E796D04.exe NSIS: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3E796D04.exe CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\449157CC.exe Infected: Trojan-Downloader.Win32.Dyfuca.ab skipped
C:\Program Files\Norton AntiVirus\Quarantine\45986A88.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\45986A88.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\45986A88.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\45986A88.jar ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\45986A88.jar CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\47C60A7A.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\47CD5E73.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\47D0086F.dll Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\47D0086F.exe Infected: Trojan-Downloader.Win32.Pacer.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\49543462.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\4AA04185.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.tmp/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.tmp/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.tmp/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.tmp ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.tmp CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B433DAF.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\4B616EB1.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\4C147E76.exe Infected: not-a-virus:AdWare.Win32.ShopNav.l skipped
C:\Program Files\Norton AntiVirus\Quarantine\4D24003F.exe Infected: Trojan-Dropper.Win32.Agent.abb skipped
C:\Program Files\Norton AntiVirus\Quarantine\4E686910.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\50096D49.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\50BD7283.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\536D64A7.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\54902F18.cab/installer_PIVOTAL_6_DB.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\Program Files\Norton AntiVirus\Quarantine\54902F18.cab/installer_PIVOTAL_6_DB.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\Program Files\Norton AntiVirus\Quarantine\54902F18.cab/installer_PIVOTAL_6_DB.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\Program Files\Norton AntiVirus\Quarantine\54902F18.cab CAB: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\54902F18.cab CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\54902F18.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\550D48A9.exe Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\5515264D.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\55C477E0.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\55C477E0.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\55C477E0.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\55C477E0.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\55EC2292.exe Infected: Trojan-Dropper.Win32.Delf.ev skipped
C:\Program Files\Norton AntiVirus\Quarantine\56104738.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\56502FFE.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\57847E49.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\58B43C3E.dll Infected: not-a-virus:AdWare.Win32.BHO.z skipped
C:\Program Files\Norton AntiVirus\Quarantine\58DC7EB3.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\5B0332A3.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\5B961402.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\5BE65B1F.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\5CC43703.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\5D056465.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\5D1B59B6.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\5D2C7690.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\5D6402DF.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\5E21060E.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\5EDC546D.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\5EF336E0.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\5EF336E0.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\5EF336E0.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\5EF336E0.jar ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\5EF336E0.jar CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\601E3771.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\60206B16.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.af skipped
C:\Program Files\Norton AntiVirus\Quarantine\6021616E.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\61475B76.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\62120698.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\62A251FE.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\634E3346.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\Program Files\Norton AntiVirus\Quarantine\635C2B31.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\63B047DC.exe Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\6445783C.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\66365D72.tmp Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\674B5096.exe Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\67BA28F2.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\67CB7AE0.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Program Files\Norton AntiVirus\Quarantine\67F51CB1.exe Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\684A6053.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\69670A54.exe Infected: Trojan-Downloader.Win32.Pacer.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\6A2A5520.exe Infected: Trojan-Spy.Win32.VB.eh skipped
C:\Program Files\Norton AntiVirus\Quarantine\6A6872DC.exe Infected: Trojan-Downloader.Win32.Small.bmx skipped
C:\Program Files\Norton AntiVirus\Quarantine\6A7270D1.exe Infected: Trojan-Downloader.Win32.VB.kq skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B213486.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B492390.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\6C161D1D.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\6C161D1D.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\6C161D1D.exe NSIS: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\6C161D1D.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton AntiVirus\Quarantine\6C7A4830.exe Infected: Trojan-Downloader.Win32.Small.cdy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6FF57945.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\70B211E0.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\71CA2AF4.tmp Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\720C2074.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\72AC29C3.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\75D22BF9 Infected: Exploit.JS.CVE-2006-1359.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\75E951E0.htm Infected: Exploit.JS.CVE-2006-1359.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\761E18A3.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\76B37867.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\77416314.exe/InpB/TvmBho.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\77416314.exe/InpB/TvmCore.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\77416314.exe/InpB/Tvm.exe Infected: not-a-virus:AdWare.Win32.TotalVelocity.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\77416314.exe/InpB Infected: not-a-virus:AdWare.Win32.TotalVelocity.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\77416314.exe CAB: infected - 4 skipped
C:\Program Files\Norton AntiVirus\Quarantine\77416314.exe CryptFF: infected - 4 skipped
C:\Program Files\Norton AntiVirus\Quarantine\77AC249B.tmp Infected: Trojan.Win32.EliteBar.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\77FC1A64.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7A7271C4.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\7A9851E5.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\7A9B1F55.exe Infected: Net-Worm.Win32.Mytob.bk skipped
C:\Program Files\Norton AntiVirus\Quarantine\7A9B7BE2.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AA24FDB.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ah skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AA24FDB.frB Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AA579D7.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B2C4AF7.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B3A4328.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B654E27.exe Infected: Trojan-Downloader.Win32.Agent.qg skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B6F4C1C.dll Infected: not-a-virus:AdWare.Win32.WinAD.af skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B6F4C1C.ocx Infected: Trojan-Downloader.Win32.VB.ov skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B727619.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B762015.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B794A12.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B794A12.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B7C740E.dll Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B801E0A.tmp Infected: not-a-virus:AdWare.Win32.SafeSurfing.x skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B834807.exe/data0006 Infected: Backdoor.Win32.HacDef.bo skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B834807.exe NSIS: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B834807.exe CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B867203.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B891C00.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\7C06189C.exe Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Program Files\Norton AntiVirus\Quarantine\7C8B15FB.exe Infected: Trojan.Win32.Crypt.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\7CCA6FC4.exe Infected: Trojan-Dropper.Win32.Small.yn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D370267.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D3A2C63.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.r skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D3E5660.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D41005C.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D442A58.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D475455.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D4B7E51.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D4E284E.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D5C4235.exe Infected: Trojan-Downloader.Win32.Agent.aaf skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D5F6C32.dll Infected: not-a-virus:AdWare.Win32.WinAD.w skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D5F6C32.exe Infected: Trojan-Downloader.Win32.Agent.aaf skipped
C:\Program Files\Norton AntiVirus\Quarantine\7D63162E.dll Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\Program Files\Norton AntiVirus\Quarantine\7E475B4A.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F7D6FF5.dll Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\7F7D6FF5.exe Infected: Trojan.Win32.EliteBar.g skipped
C:\Program Files\Norton AntiVirus\Quarantine\7FAE65BF.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\Program Files\Oemji\Toolbar\OemjiSrc.dll Infected: not-a-virus:AdWare.Win32.Nomeh.a skipped
C:\Program Files\Yahasoft\Cache\00004087_44770f79_000baeb9 Infected: Exploit.Win32.MS05-013.gen skipped
C:\Program Files\Yahasoft\Cache\0000759d_447338b5_000d8c5e Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Program Files\Yahasoft\lsa0_qcx.exe Infected: Trojan.Win32.Crypt.t skipped
C:\Program Files\Yahasoft\WinGenerics.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP208\A0023854.exe Infected: Backdoor.Win32.Haxdoor.hx skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP210\A0023882.EXE Infected: not-a-virus:AdWare.Win32.Bestofer.d skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP210\A0023883.exe Infected: not-a-virus:AdWare.Win32.Bestofer.e skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP221\A0024430.exe Infected: not-a-virus:AdWare.Win32.CASClient.c skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP239\A0026259.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP266\A0029501.exe Infected: Trojan-Downloader.Win32.VB.kq skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP266\A0029542.exe Infected: Trojan-Dropper.Win32.Delf.ev skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP266\A0029543.dll Infected: not-a-virus:AdWare.Win32.Nomeh.a skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP266\A0029545.dll Infected: not-a-virus:AdWare.Win32.Nomeh.b skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP266\A0029546.exe Infected: not-a-virus:AdWare.Win32.Nomeh.b skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP266\A0029548.exe Infected: not-a-virus:AdWare.Win32.Mirar.d skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP266\A0029549.dll Infected: not-a-virus:AdWare.Win32.Mirar.b skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030630.dll Infected: not-a-virus:AdWare.Win32.E2Give.d skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030631.exe Infected: Trojan-Downloader.Win32.Small.bgl skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030632.exe Infected: Trojan-Downloader.Win32.Small.bgl skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030633.dll Infected: not-a-virus:AdWare.Win32.E2Give.d skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030634.exe Infected: Trojan-Downloader.Win32.Small.bgl skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030635.exe Infected: Trojan-Downloader.Win32.Small.bgl skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030636.exe Infected: Trojan-Downloader.Win32.Small.bgl skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030638.exe/data.rar/mrjj.exe Infected: Trojan.Win32.LowZones.am skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030638.exe/data.rar Infected: Trojan.Win32.LowZones.am skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030638.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030638.exe CryptFF: infected - 2 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030639.EXE/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030639.EXE WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030639.EXE WiseSFX Dropper: infected - 1 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030639.EXE CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030649.exe Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030650.exe Infected: Trojan-Downloader.Win32.Qoologic.al skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030651.exe Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030652.dll Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030653.exe Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030654.exe Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030655.exe Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030656.exe Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030657.dll Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030658.exe Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030659.dll Infected: Trojan-Downloader.Win32.Qoologic.ac skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030660.dll Infected: Trojan-Downloader.Win32.Qoologic.ae skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030662.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030662.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030662.exe WiseSFX Dropper: infected - 1 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030662.exe CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030665.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030666.exe Infected: not-a-virus:Downloader.Win32.Agent.f skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030667.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030668.exe Infected: not-a-virus:Downloader.Win32.Agent.f skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030669.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030670.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030671.exe Infected: not-a-virus:Downloader.Win32.Agent.e skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030675.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030676.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030677.dll Infected: not-a-virus:AdWare.Win32.SurfSide.t skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030678.exe Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030679.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.t skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030679.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030679.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030679.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.t skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030679.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.t skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030679.exe CAB: infected - 5 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030679.exe CryptFF: infected - 5 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030683.dll Infected: Trojan-Spy.Win32.Agent.gk skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030684.exe Infected: Trojan-Downloader.Win32.Small.afq skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030685.exe Infected: Trojan.Win32.Delf.og skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030686.exe Infected: Trojan.Win32.Delf.og skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030687.dll Infected: Trojan-Spy.Win32.Agent.gk skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030689.exe Infected: Trojan-Downloader.Win32.Small.bke skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030690.exe Infected: Trojan-Downloader.Win32.VB.hw skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP274\A0030691.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP278\A0030918.dll Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP278\A0030919.exe Infected: Trojan.Win32.Crypt.t skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031048.exe/data.rar/archive comment Infected: Trojan.Win32.Favadd.f skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031048.exe/data.rar Infected: Trojan.Win32.Favadd.f skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031048.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031056.DLL Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031057.EXE Infected: not-a-virus:AdWare.Win32.MyWay.b skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031059.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.p skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031060.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031061.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031062.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031063.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031064.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031065.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031066.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.t skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031067.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031068.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031069.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031070.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031071.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031072.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031073.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031074.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031075.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031076.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.q skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031077.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031078.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031079.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031080.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031081.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031082.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031083.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031084.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031085.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031086.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031087.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031088.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP280\A0031090.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.c skipped
C:\WINDOWS\Buddy.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am skipped
C:\WINDOWS\Downloaded Program Files\installer_PIVOTAL_6_DB.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\WINDOWS\Downloaded Program Files\installer_PIVOTAL_6_DB.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\WINDOWS\Downloaded Program Files\installer_PIVOTAL_6_DB.exe NSIS: infected - 2 skipped
C:\WINDOWS\inst_pivotal_6_db.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ah skipped
C:\WINDOWS\ssupreme.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.MegaSearch.b skipped
C:\WINDOWS\ssupreme.exe/stream Infected: not-a-virus:AdWare.Win32.MegaSearch.b skipped
C:\WINDOWS\ssupreme.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\drivers\mouiodrv.sys Infected: Rootkit.Win32.Agent.ao skipped
C:\WINDOWS\system32\iolrv42a.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\woinstall.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak skipped
C:\WINDOWS\woinstall.exe WiseSFX: infected - 1 skipped

Scan process completed.

----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:16:11 PM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131822988625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

tetonbob · 06-12-2006, 08:47 AM

It is no surprise this system has problems running correctly. It has been choked with infections.

Quote:

The only problem I ran accross with these instructions was that I got a funny reply when I tried to run regsvr32 /u ocache.dll . The message was:
DllunregisterServer is occache.dll succeeded.
I wasn't able to delete any of the files you listed.

The message is normal. We're exposing hidden files in the Downloaded Program Files directory with that command. The next command after the file deletions resets it as it was.

You didn't see any of the files listed to delete? Or they resisted deletion?

Did you have System files/folders still viewable from previous instructions?

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

I need this information before we proceed. As you can see, there are still several infected files present, a couple of which I had previously listed for you to remove.

Before you post, please delete the contents of this folder:

C:\Program Files\Norton AntiVirus\Quarantine

jonas20h · 06-12-2006, 07:02 PM

I have deleted the contents of the file you requested and emptied the recycle bin. Here are the answers to the questions you posted.

You didn't see any of the files listed to delete? Or they resisted deletion?

There was not any files listed at all - it went straight to the error message I gave earlier.

Did you have System files/folders still viewable from previous instructions?

Yes. I checked with the instructions you gave me and all the right things were still checked.

I hope this helps in deciding the next step. Thanks again.

tetonbob · 06-12-2006, 07:55 PM

Ok...I think you misunderstand what is supposed to happen when you perform that command.

It is not an error message. It is telling you that the command has performed successfully.

You then need to manually look for and delete each of those files in the list...it is not a tool, it is only a helpful command. Files in the Downloaded Program Files directory may hide from view without it.

Now that I think we've straightened that out....I will repeat these instructions....

---------------------------------------------------------------------------------------------

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 /u occache.dll

Now you must search for these files. Using Windows Explorer, (WinKey + E) navigate to each file/folder. Delete them if present:

c:\windows\system32\key.~
c:\windows\downloaded program files\ATPartners.inf
c:\windows\downloaded program files\f3initialsetup1.0.0.8-2.inf
c:\windows\inf\addremln.inf
c:\windows\inf\alchem.inf
c:\windows\inf\conscorr.inf
C:\Documents and Settings\Owner\Application Data\defaultgood.wl
C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll
c:\windows\Buddy.exe
c:\windows\hisistheurls.exe
c:\windows\ubber60.ini
c:\windows\woinstall.exe
C:\Documents and Settings\Owner\Start Menu\Programs\AdDestroyer
c:\program files\common files\Slmss
c:\program files\common files\WinSoftware
c:\program files\dialers
c:\program files\joystick networks
c:\program files\MySearch
c:\program files\MyWebSearch
C:\Documents and Settings\Owner\Favorites\-Autos-
C:\Documents and Settings\Owner\Favorites\Finances & Business
C:\Documents and Settings\Owner\Application Data\Registry Cleaner
c:\windows\STWSI
c:\documents and settings\all users\application data\nsv
c:\documents and settings\all users\application data\VBouncer
c:\documents and settings\all users\application data\vidctrl
C:\Documents and Settings\Owner\Application Data\rawh\ctxad-247.0000[NDrv.dll]
C:\Documents and Settings\Owner\Application Data\rawh\ctxad-250.0000[NDrv.dll]
C:\Documents and Settings\Owner\Desktop\My Downloads\aproposfix\backups
C:\WINDOWS\inst_pivotal_6_db.exe
C:\WINDOWS\ssupreme.exe
C:\WINDOWS\system32\drivers\mouiodrv.sys
C:\WINDOWS\system32\iolrv42a.exe

Now, we will reset Windows occache.dll

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 occache.dll

---------------------------------------------------------------------------------------------

Next, please do this:

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------

Next.....

Right click on this link http://www.mvps.org/winhelp2002/DelDomains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

---------------------------------------------------------------------------------------------

Finally.....

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Also post a new HJT log.

jonas20h · 06-17-2006, 04:20 PM

OK. I think I got it now. I have been working on this for a couple of nights this week but it has taken a while to run Dr. Web Cureit. Here are the logs.

Thanks

-------------------------------------

00005a3d_441ecbd1_000cdfe6\javascript.0;C:\Documents and Settings\Owner\DoctorWeb\Quarantine\00005a3d_441ecbd1_000cdfe6;Trojan.DownLoader.7489;;
00005a3d_441ecbd1_000cdfe6\javascript.1;C:\Documents and Settings\Owner\DoctorWeb\Quarantine\00005a3d_441ecbd1_000cdfe6;Trojan.DownLoader.7489;;
00005a3d_441ecbd1_000cdfe6;C:\Documents and Settings\Owner\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
lsa0_qcx.exe;C:\Program Files\Yahasoft;Adware.Apropos;Incurable.Moved.;
WinGenerics.dll;C:\Program Files\Yahasoft;Adware.Apropos;Incurable.Moved.;
Dc11.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003;Adware.BargainBuddy;Incurable.Moved.;
Dc13.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003;Adware.Apropos;Incurable.Moved.;
Dc4.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003;Adware.BetterInternet;Incurable.Moved.;
ace.dll;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003\Dc16;Adware.Apropos;Incurable.Moved.;
basrtdll.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003\Dc16;Adware.Apropos;Incurable.Moved.;
lsa0_qcx.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003\Dc16;Adware.Apropos;Incurable.Moved.;
WinGenerics.dll;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003\Dc16;Adware.Apropos;Incurable.Moved.;

----------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:18:04 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131822988625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

tetonbob · 06-17-2006, 05:25 PM

Right. Good work. Before we do anything else, how is your system behaving now, please?

jonas20h · 06-21-2006, 05:17 PM

Everything is running good. No pop ups for a while. Thank you for all your help. Unless there is something else I should do I think it is all set.

tetonbob · 06-21-2006, 07:58 PM

One more odd bit to take care of, and some final housekeeping and protection instructions for you.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O18 - Filter: text/html - (no CLSID) - (no file)

---------------------------------------------------------------------------------------------

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial

Here are two very good free Antivirus products which are available:
Avast!
AVG

If you do not have a firewall, here are 4 free ones available for personal use:

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

jonas20h · 07-05-2006, 09:56 PM

All this is done. It was great help. Sorry it took a few weeks to post again I was on vacation in another state.

05-21-2006, 06:39 PM	#1 (permalink)
jonas20h Registered User Join Date: May 2006 Posts: 9 OS: Win XP	Pop-up problems After running two pop-up blockers, Ad-Aware, CWShredder, and Spybot I still have constant pop-up problems. I get constant ads from these to mention a few: adexit.de google (this one surprised me) search the web search UK search Vonage worlds No. 1 online casino - 888.com Can someone please take a look at my log and help me find out why these are getting past the blockers? Thanks, Logfile of HijackThis v1.99.1 Scan saved at 6:21:08 PM, on 5/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\xload.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.consumeralertsystem.com/c...317307&pid=103 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {6C900343-9DF7-C624-868F-CC69418AD89F} - C:\WINDOWS\System32\eqgv.dll (file missing) O2 - BHO: (no name) - {6E980E3C-C673-A075-B1F5-362B3F4B5ADB} - C:\WINDOWS\Jjaskafh.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Search - {D7D01A2E-63ED-6927-0DE3-6B559D0F8C5D} - C:\WINDOWS\Jjaskafh.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe" O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O15 - Trusted Zone: *.sxload.com O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131822988625 O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - ms-its:mhtml:file://c:\nosunem.mht!http://daemonlinks.net/script/mm.chm::/joysaver.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 O18 - Filter: text/html - (no CLSID) - (no file) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll O20 - Winlogon Notify: pptp32 - pptp32.dll (file missing) O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

05-22-2006, 09:15 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- You have a few nasties on your system. First, we need to gather some information. Download & install - HaxFix.EXE. During installation, please select these options: Create a desktop icon Launch HaxFix When Haxfix starts, a red DOS window will open. Select the option to - Make logfile - Type 1 & press`Enter'. Haxfix will produce a log for you to post back here. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-22-2006, 07:27 PM	#3 (permalink)
jonas20h Registered User Join Date: May 2006 Posts: 9 OS: Win XP	Haxfix log Thanks for the help. I think this is the log file as you requested. HAXFIX logfile - by Marckie -------------- version 2.42 Mon 05/22/2006 19:24:12.39 checking for a3d files.... a3d files not found checking for matching notify keys.... matching notify keys found pptp checking for matching services.... matching services found pptp32 pptp64 checking for matching safeboot services.... matching safeboot services found pptp32.sys pptp64.sys

05-22-2006, 09:57 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please close all other open windows as this requires a reboot. Locate on your desktop and launch Haxfix.bat & select option - Run auto fix - Type 2 & press`Enter' If an infection is found, the computer will reboot & produce another log. Post the contents of that log at the end of this fix. --------------------------------------------------------------------------------------------- Download Ewido Anti-Malware Install Ewido Anti-Malware When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: E2G --------------------------------------------------------------------------------------------- Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus9.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.consumeralertsystem.com/c...317307&pid=103 R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing) O2 - BHO: (no name) - {6C900343-9DF7-C624-868F-CC69418AD89F} - C:\WINDOWS\System32\eqgv.dll (file missing) O2 - BHO: (no name) - {6E980E3C-C673-A075-B1F5-362B3F4B5ADB} - C:\WINDOWS\Jjaskafh.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Search - {D7D01A2E-63ED-6927-0DE3-6B559D0F8C5D} - C:\WINDOWS\Jjaskafh.dll (file missing) O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe" O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe O4 - Startup: PowerReg Scheduler.exe O15 - Trusted Zone: .sxload.com O16 - DPF: sptbaxcab - http://www.try2find.com/toolbar/setup/sptbax.cab O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - ms-its:mhtml:file://c:\nosunem.mht!http://daemonlinks.net/script/mm.chm::/joysaver.cab O20 - Winlogon Notify: pptp32 - pptp32.dll (file missing) --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. --------------------------------------------------------------------------------------------- Delete the following Files/Folders if they exist: C:\Program Files\E2G C:\WINDOWS\xload.exe C:\WINDOWS\wdskctl.exe --------------------------------------------------------------------------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------------------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. --------------------------------------------------------------------------------------------- Restart in normal mode. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now** and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with logs from: haxfix Ewido Panda HJT __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-28-2006, 10:04 PM	#5 (permalink)
jonas20h Registered User Join Date: May 2006 Posts: 9 OS: Win XP	Reports OK. I think I have done all these and here are the accompanying logs. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 921 PM, 5/28/2006 + Report-Checksum: 582EFA4E + Scan result: HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Cleaned with backup HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Adware.E2G : Cleaned with backup HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Adware.E2G : Cleaned with backup HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Cleaned with backup HKU\S-1-5-21-829923665-265014133-1663686664-1003\Software\dsktb -> Adware.IEPlugin : Cleaned with backup HKU\S-1-5-21-829923665-265014133-1663686664-1003\Software\dsktb\DesktopToolbar -> Adware.IEPlugin : Cleaned with backup C:\command.exe -> Dropper.Delf.ev : Cleaned with backup C:\Program Files\Common Files\Oem Common\robj1.dll -> Adware.Nomeh : Cleaned with backup C:\Program Files\Common Files\WinSoftware\FCrXML.dll -> Adware.Winfixer : Cleaned with backup C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll -> Adware.Nomeh : Cleaned with backup C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker.exe -> Adware.Nomeh : Cleaned with backup C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Adware.Pacer : Cleaned with backup C:\Program Files\Yahasoft\Cache\000018d7_43a509bd_000baeb9 -> Not-A-Virus.Exploit.Win32.MS05013 : Cleaned with backup C:\Program Files\Yahasoft\Cache\00005772_4435ff74_00031975 -> Not-A-Virus.Exploit.Win32.MS05013 : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1006.txt -> TrackingCookie.Tradedoubler : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1010.txt -> TrackingCookie.Trafficmp : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1016.txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1040.txt -> TrackingCookie.Valueclick : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1068.txt -> TrackingCookie.Web-stat : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1069.txt -> TrackingCookie.Web-stat : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1096.txt -> TrackingCookie.Enigmasoftwaregroup : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1154.txt -> TrackingCookie.Burstbeacon : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1292.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1330.txt -> TrackingCookie.Realcastmedia : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1331.txt -> TrackingCookie.Realcastmedia : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1392.txt -> TrackingCookie.Web-stat : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1414.txt -> TrackingCookie.Yadro : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1423.txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1425.txt -> TrackingCookie.Adserver : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc1430.txt -> TrackingCookie.Zedo : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc147.txt -> TrackingCookie.Aavalue : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc148.txt -> TrackingCookie.Abetterinternet : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc149.txt -> TrackingCookie.Abetterinternet : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc159.txt -> TrackingCookie.Yieldmanager : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc174.txt -> TrackingCookie.Specificclick : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc175.txt -> TrackingCookie.Specificclick : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc176.txt -> TrackingCookie.Specificclick : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc181.txt -> TrackingCookie.Bpath : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc183.txt -> TrackingCookie.Addynamix : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc210.txt -> TrackingCookie.Advertising : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc255.txt -> TrackingCookie.Atdmt : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc298.txt -> TrackingCookie.Bluestreak : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc311.txt -> TrackingCookie.Burstnet : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc314.txt -> TrackingCookie.Enhance : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc338.txt -> TrackingCookie.Casalemedia : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc373.txt -> TrackingCookie.Cliks : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc409.txt -> TrackingCookie.Clickzs : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc451.txt -> TrackingCookie.Doubleclick : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc468.txt -> TrackingCookie.Ru4 : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc496.txt -> TrackingCookie.Aavalue : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc502.txt -> TrackingCookie.Fastclick : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc578.txt -> TrackingCookie.Hypertracker : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc579.txt -> TrackingCookie.Hypertracker : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc580.txt -> TrackingCookie.Hypertracker : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc676.txt -> TrackingCookie.Tracking101 : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc697.txt -> TrackingCookie.Mediaplex : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc789.txt -> TrackingCookie.Overture : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc806.txt -> TrackingCookie.Paypopup : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc807.txt -> TrackingCookie.Paypopup : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc829.txt -> TrackingCookie.Wegcash : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc836.txt -> TrackingCookie.Qksrv : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc839.txt -> TrackingCookie.Questionmarket : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc861.txt -> TrackingCookie.Revenue : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc903.txt -> TrackingCookie.Liveperson : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc929.txt -> TrackingCookie.Advertising : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc954.txt -> TrackingCookie.Specificpop : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc962.txt -> TrackingCookie.Starware : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc963.txt -> TrackingCookie.Starware : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc965.txt -> TrackingCookie.Reliablestats : Cleaned with backup C:\RECYCLER\S-1-5-21-690794203-1598477941-172767287-1003\Dc988.txt -> TrackingCookie.Targetnet : Cleaned with backup C:\WINDOWS\180ax.exe -> Adware.180Solutions : Cleaned with backup C:\WINDOWS\876056.exe -> Adware.Mirar : Cleaned with backup C:\WINDOWS\Downloaded Program Files\OTXMedia.dll -> Adware.OTX : Cleaned with backup C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup ::Report End -------------------------------------------------------------------------- Panda Scan Report Incident Status Location Adware:adware program Not disinfected c:\windows\system32\key.~ Adware:adware/favoriteman Not disinfected c:\windows\downloaded program files\ATPartners.inf Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.8-2.inf Adware:adware/localnrd Not disinfected c:\windows\inf\addremln.inf Adware:adware/clickalchemy Not disinfected c:\windows\inf\alchem.inf Adware:adware/ipinsight Not disinfected c:\windows\inf\conscorr.inf Adware:adware/oemji Not disinfected C:\Documents and Settings\Owner\Application Data\defaultgood.wl Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll Spyware:spyware/betterinet Not disinfected c:\windows\Buddy.exe Adware:adware/wintools Not disinfected c:\windows\hisistheurls.exe Spyware:spyware/media-motor Not disinfected c:\windows\ubber60.ini Adware:adware/ezula Not disinfected c:\windows\woinstall.exe Adware:adware/addestroyer Not disinfected C:\Documents and Settings\Owner\Start Menu\Programs\AdDestroyer Adware:adware/portalscan Not disinfected c:\program files\common files\Slmss Potentially unwanted tool:application/winfixer2005 Not disinfected c:\program files\common files\WinSoftware Dialer:dialer generic Not disinfected c:\program files\dialers Adware:adware/imgiant Not disinfected c:\program files\joystick networks Potentially unwanted tool:application/myway Not disinfected c:\program files\MySearch Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyWebSearch Adware:adware/cws Not disinfected C:\Documents and Settings\Owner\Favorites\-Autos- Adware:adware/elitebar Not disinfected C:\Documents and Settings\Owner\Favorites\Finances & Business Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Owner\Application Data\Registry Cleaner Adware:adware/dyfuca Not disinfected c:\windows\STWSI Adware:adware/savenow Not disinfected c:\documents and settings\all users\application data\nsv Adware:adware/virtualbouncer Not disinfected c:\documents and settings\all users\application data\VBouncer Adware:adware/delfinmedia Not disinfected c:\documents and settings\all users\application data\vidctrl Adware:adware/e2give Not disinfected Windows Registry Adware:adware/powerscan Not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Adware:adware/upspiralbar Not disinfected Windows Registry Spyware:spyware/adclicker Not disinfected Windows Registry Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Application Data\rawh\ctxad-247.0000[NDrv.dll] Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Owner\Application Data\rawh\ctxad-250.0000[NDrv.dll] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -------------------------------------------------------------------------- HAXFIX logfile - by Marckie -------------- version 2.42 Sun 05/28/2006 22:00:41.79 checking for a3d files.... a3d files not found checking for matching notify keys.... no matching notify keys found checking for matching services.... no matching services found checking for matching safeboot services.... no matching safeboot services found ------------------------------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 10:04:17 PM, on 5/28/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131822988625 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 O18 - Filter: text/html - (no CLSID) - (no file) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

05-29-2006, 09:12 AM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Create an uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-02-2006, 07:02 PM	#7 (permalink)
jonas20h Registered User Join Date: May 2006 Posts: 9 OS: Win XP	OK I have the list. I am sorry it is a few days between posts but this is a friends computer and I am trying to get to it when I can. Thanks again for your help! Uninstall manager list: Ad-Aware SE Personal Adobe Photoshop Album Starter Edition Adobe Reader 7.0.7 ccCommon CleanUp! Compaq Connections Compaq Organize ContextPlus ewido anti-malware Free PS Convert driver Google Earth Google Toolbar for Internet Explorer HaxFix 2.42 HijackThis 1.99.1 HP Deskjet Preloaded Printer Drivers HP Extended Capabilities 4.7 HP Image Zone 4.7 HP PSC & OfficeJet 4.7 HP Software Update HumanConcepts OrgPlus 6 HumanConcepts OrgPlus 6 Plugin Instant Support Intel(R) Extreme Graphics Driver IntelliMover Data Transfer Demo Internet Worm Protection InterVideo WinDVD Player Java 2 Runtime Environment, SE v1.4.1_02 Java Web Start KBD LiveReg (Symantec Corporation) LiveUpdate 3.0 (Symantec Corporation) Macromedia Flash Player Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft Money 2003 Microsoft Money 2003 System Pack Microsoft Office XP Media Content Microsoft Office XP Professional Microsoft Plus! Digital Media Edition Microsoft Visual J# .NET Redistributable Package 1.1 Microsoft Works 7.0 MUSICMATCH® Jukebox Norton AntiVirus 2005 Norton AntiVirus 2005 (Symantec Corporation) Norton AntiVirus Help Norton AntiVirus Parent MSI Norton AntiVirus SCSSDist MSI Norton AntiVirus SYMLT MSI Norton WMI Update NVIDIA Ethernet Driver NVIDIA Gart Driver NVIDIA Windows 2000/XP Display Drivers OLYMPUS CAMEDIA Master 4.1 OmniPass Panda ActiveScan Personal Ancestral File 5 PS2 Python 2.2 combined Win32 extensions Python 2.2.1 QuickBooks Pro 2005 Quicken 2003 New User Edition QuickTime S3Display S3Gamma2 S3Info2 S3Overlay Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 9 (KB911565) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) SPBBC Spybot - Search & Destroy 1.3 Symantec Symantec Script Blocking Installer SymNet Trivial Pursuit Millennium Edition TurboTax 2005 TurboTax ItsDeductible 2005 Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Viewpoint Media Player (Remove Only) Weblink WexTech AnswerWorks Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Media Player 9 Hotfix [See KB885492 for more information] Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Service Pack 2 Word to PDF Converter 3.0

06-02-2006, 09:29 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	I understand about how helping a friend can take some time, but the truth is the longer you leave this system in this manner, the better chance of reinfection. Hopefully we can get most of it in this next round. This will take a while, as this system had been riddled with adware and infectious files, but we can get it clean. You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download AproposFix from here: http://swandog46.geekstogo.com/aproposfix.exe Save it to your desktop but do NOT run it yet. Then please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. Go to Start>Run then copy and paste, or type the following, then press Enter: regsvr32 /u occache.dll Delete these if present: c:\windows\system32\key.~ c:\windows\downloaded program files\ATPartners.inf c:\windows\downloaded program files\f3initialsetup1.0.0.8-2.inf c:\windows\inf\addremln.inf c:\windows\inf\alchem.inf c:\windows\inf\conscorr.inf C:\Documents and Settings\Owner\Application Data\defaultgood.wl C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll c:\windows\Buddy.exe c:\windows\hisistheurls.exe c:\windows\ubber60.ini c:\windows\woinstall.exe C:\Documents and Settings\Owner\Start Menu\Programs\AdDestroyer c:\program files\common files\Slmss c:\program files\common files\WinSoftware c:\program files\dialers c:\program files\joystick networks c:\program files\MySearch c:\program files\MyWebSearch C:\Documents and Settings\Owner\Favorites\-Autos- C:\Documents and Settings\Owner\Favorites\Finances & Business C:\Documents and Settings\Owner\Application Data\Registry Cleaner c:\windows\STWSI c:\documents and settings\all users\application data\nsv c:\documents and settings\all users\application data\VBouncer c:\documents and settings\all users\application data\vidctrl C:\Documents and Settings\Owner\Application Data\rawh\ctxad-247.0000[NDrv.dll] C:\Documents and Settings\Owner\Application Data\rawh\ctxad-250.0000[NDrv.dll] Go to Start>Run then copy and paste, or type the following, then press Enter: regsvr32 occache.dll --------------------------------------------------------------------------------------------- Please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. When the tool is finished, please reboot back into normal mode. Also please do this: We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code. Updating Java: Go to Start > Control Panel double-click on the Software icon > add/remove programs. Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) Select it and click Remove. Then Download and install the newest version from here: http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. --------------------------------------------------- The version of Spybot Search and Destroy is not the latest version. I recommend you uninstall the existing version, and do this: Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete. Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation. --------------------------------------------------- Also make sure AdawareSE is the latest version, it should say Build 1.06 in the lower right corner. If it's not, uninstall it, and download the newest version here, update to the latest definitions, and run a full system scan. --------------------------------------------------- Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with results from: AproposFix ( log.txt file in the aproposfix folder) Kaspersky HJT How is the system behaving now, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-12-2006, 07:02 PM	#11 (permalink)
jonas20h Registered User Join Date: May 2006 Posts: 9 OS: Win XP	I have deleted the contents of the file you requested and emptied the recycle bin. Here are the answers to the questions you posted. You didn't see any of the files listed to delete? Or they resisted deletion? There was not any files listed at all - it went straight to the error message I gave earlier. Did you have System files/folders still viewable from previous instructions? Yes. I checked with the instructions you gave me and all the right things were still checked. I hope this helps in deciding the next step. Thanks again.

06-12-2006, 07:55 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Ok...I think you misunderstand what is supposed to happen when you perform that command. It is not an error message. It is telling you that the command has performed successfully. You then need to manually look for and delete each of those files in the list...it is not a tool, it is only a helpful command. Files in the Downloaded Program Files directory may hide from view without it. Now that I think we've straightened that out....I will repeat these instructions.... --------------------------------------------------------------------------------------------- Go to Start>Run then copy and paste, or type the following, then press Enter: regsvr32 /u occache.dll Now you must search for these files. Using Windows Explorer, (WinKey + E) navigate to each file/folder. Delete them if present: c:\windows\system32\key.~ c:\windows\downloaded program files\ATPartners.inf c:\windows\downloaded program files\f3initialsetup1.0.0.8-2.inf c:\windows\inf\addremln.inf c:\windows\inf\alchem.inf c:\windows\inf\conscorr.inf C:\Documents and Settings\Owner\Application Data\defaultgood.wl C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll c:\windows\Buddy.exe c:\windows\hisistheurls.exe c:\windows\ubber60.ini c:\windows\woinstall.exe C:\Documents and Settings\Owner\Start Menu\Programs\AdDestroyer c:\program files\common files\Slmss c:\program files\common files\WinSoftware c:\program files\dialers c:\program files\joystick networks c:\program files\MySearch c:\program files\MyWebSearch C:\Documents and Settings\Owner\Favorites\-Autos- C:\Documents and Settings\Owner\Favorites\Finances & Business C:\Documents and Settings\Owner\Application Data\Registry Cleaner c:\windows\STWSI c:\documents and settings\all users\application data\nsv c:\documents and settings\all users\application data\VBouncer c:\documents and settings\all users\application data\vidctrl C:\Documents and Settings\Owner\Application Data\rawh\ctxad-247.0000[NDrv.dll] C:\Documents and Settings\Owner\Application Data\rawh\ctxad-250.0000[NDrv.dll] C:\Documents and Settings\Owner\Desktop\My Downloads\aproposfix\backups C:\WINDOWS\inst_pivotal_6_db.exe C:\WINDOWS\ssupreme.exe C:\WINDOWS\system32\drivers\mouiodrv.sys C:\WINDOWS\system32\iolrv42a.exe Now, we will reset Windows occache.dll Go to Start>Run then copy and paste, or type the following, then press Enter: regsvr32 occache.dll --------------------------------------------------------------------------------------------- Next, please do this: CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK --------------------------------------------------------------------------------------------- Next..... Right click on this link http://www.mvps.org/winhelp2002/DelDomains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again. --------------------------------------------------------------------------------------------- Finally..... * Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. Also post a new HJT log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-17-2006, 04:20 PM	#13 (permalink)
jonas20h Registered User Join Date: May 2006 Posts: 9 OS: Win XP	OK. I think I got it now. I have been working on this for a couple of nights this week but it has taken a while to run Dr. Web Cureit. Here are the logs. Thanks ------------------------------------- 00005a3d_441ecbd1_000cdfe6\javascript.0;C:\Documents and Settings\Owner\DoctorWeb\Quarantine\00005a3d_441ecbd1_000cdfe6;Trojan.DownLoader.7489;; 00005a3d_441ecbd1_000cdfe6\javascript.1;C:\Documents and Settings\Owner\DoctorWeb\Quarantine\00005a3d_441ecbd1_000cdfe6;Trojan.DownLoader.7489;; 00005a3d_441ecbd1_000cdfe6;C:\Documents and Settings\Owner\DoctorWeb\Quarantine;Archive contains infected objects;Moved.; lsa0_qcx.exe;C:\Program Files\Yahasoft;Adware.Apropos;Incurable.Moved.; WinGenerics.dll;C:\Program Files\Yahasoft;Adware.Apropos;Incurable.Moved.; Dc11.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003;Adware.BargainBuddy;Incurable.Moved.; Dc13.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003;Adware.Apropos;Incurable.Moved.; Dc4.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003;Adware.BetterInternet;Incurable.Moved.; ace.dll;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003\Dc16;Adware.Apropos;Incurable.Moved.; basrtdll.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003\Dc16;Adware.Apropos;Incurable.Moved.; lsa0_qcx.exe;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003\Dc16;Adware.Apropos;Incurable.Moved.; WinGenerics.dll;C:\RECYCLER\S-1-5-21-829923665-265014133-1663686664-1003\Dc16;Adware.Apropos;Incurable.Moved.; ---------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 4:18:04 PM, on 6/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\System32\msiexec.exe C:\Program Files\Messenger\msmsgs.exe C:\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource...scbase5059.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131822988625 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/...l/SymDlBrg.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 O18 - Filter: text/html - (no CLSID) - (no file) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

06-17-2006, 05:25 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	Right. Good work. Before we do anything else, how is your system behaving now, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

06-21-2006, 05:17 PM	#15 (permalink)
jonas20h Registered User Join Date: May 2006 Posts: 9 OS: Win XP	Everything is running good. No pop ups for a while. Thank you for all your help. Unless there is something else I should do I think it is all set.

06-21-2006, 07:58 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,618 OS: 2000 Pro; XP Pro; XP Home	One more odd bit to take care of, and some final housekeeping and protection instructions for you. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O18 - Filter: text/html - (no CLSID) - (no file) --------------------------------------------------------------------------------------------- Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch. Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are two very good free Antivirus products which are available: Avast! AVG If you do not have a firewall, here are 4 free ones available for personal use: ZoneAlarm Avast Antivirus/Firewall Tiny Personal Firewall OutPost Firewall In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

07-05-2006, 09:56 PM	#17 (permalink)
jonas20h Registered User Join Date: May 2006 Posts: 9 OS: Win XP	All this is done. It was great help. Sorry it took a few weeks to post again I was on vacation in another state.