Where to begin?

christinelydia · 02-09-2007, 03:08 PM

I have been having all sorts of problems with my computer, and it just seems to be getting worse. I apologize if I'm not posting this in the right spot, but I honestly don't know where to start because there seems to be a variety of issues, and I don't know where they are all stemming from. I know I have a trojan virus because I have AVG on my computer and the system scan seems to pick up 1 or 2 everytime I run it. My computer has been shutting down unexpectedly, amongst other issues. I have tried to update my operating system, but the computer shut down in the middle of it. I have also tried to do a McAfee Scan, but it would not load. The following is what I was able to come up with:

Here is a bitdefender report I got yesterday:
BitDefender Online Scanner

Scan report generated at: Thu, Feb 08, 2007 - 21:52:02

Scan path: C:\;D:\;

Statistics

Time
01:43:22

Files
477078

Folders
4759

Boot Sectors
2

Archives
2047

Packed Files
69024

Results

Identified Viruses
6

Infected Files
10

Suspect Files
2

Warnings
0

Disinfected
0

Deleted Files
10

Engines Info

Virus Definitions

419487

Engine build

AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File

Status

C:\$VAULT$.AVG\05282531.FIL

Infected with: Trojan.SpySheriff.C

C:\$VAULT$.AVG\05282531.FIL

Disinfection failed

C:\$VAULT$.AVG\05282531.FIL

Deleted

C:\$VAULT$.AVG\42130297.FIL

Infected with: Exploit.Win32.WMF-PFV.C

C:\$VAULT$.AVG\42130297.FIL

Disinfection failed

C:\$VAULT$.AVG\42130297.FIL

Deleted

C:\$VAULT$.AVG\61658765.FIL

Infected with: Trojan.SpySheriff.C

C:\$VAULT$.AVG\61658765.FIL

Disinfection failed

C:\$VAULT$.AVG\61658765.FIL

Deleted

C:\$VAULT$.AVG\83043546.FIL

Infected with: Trojan.SpySheriff.C

C:\$VAULT$.AVG\83043546.FIL

Disinfection failed

C:\$VAULT$.AVG\83043546.FIL

Deleted

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP354\A0064445.exe

Suspected of: BehavesLike:Trojan.Downloader

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP354\A0064445.exe

Disinfection failed

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP354\A0064445.exe

Deleted

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP369\A0071497.exe=>(NSIS o)=>zlib_nsis0001

Suspected of: BehavesLike:Trojan.Downloader

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP369\A0071497.exe=>(NSIS o)=>zlib_nsis0001

Disinfection failed

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP369\A0071497.exe=>(NSIS o)=>zlib_nsis0001

Deleted

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP369\A0071497.exe=>(NSIS o)

Update failed

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP388\A0079344.exe

Infected with: Backdoor.Agent.SO

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP388\A0079344.exe

Disinfection failed

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP388\A0079344.exe

Deleted

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP390\A0079751.dll

Infected with: Trojan.Juan.E

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP390\A0079751.dll

Disinfection failed

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP390\A0079751.dll

Deleted

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP391\A0079787.dll

Infected with: Trojan.Juan.E

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP391\A0079787.dll

Disinfection failed

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP391\A0079787.dll

Deleted

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP395\A0082125.exe

Infected with: Trojan.Dropper.EP

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP395\A0082125.exe

Disinfection failed

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP395\A0082125.exe

Deleted

C:\WINDOWS\system32\jkkli.dll

Infected with: MemScan:Trojan.Vundo.W

C:\WINDOWS\system32\jkkli.dll

Disinfection failed

C:\WINDOWS\system32\jkkli.dll

Delete failed

C:\WINDOWS\system32\livwgchk.dll

Infected with: Trojan.Juan.E

C:\WINDOWS\system32\livwgchk.dll

Disinfection failed

C:\WINDOWS\system32\livwgchk.dll

Delete failed

_________________________________________________________________

Here is a logfile from HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 4:31:04 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\GENERIC\Generic ChkMail\ChkMail.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Kyle Hicks\Local Settings\Temp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BisonCom] C:\WINDOWS\VdCap03C\BisonCom
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\uqgkxtim.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Generic ChkMail.lnk = C:\Program Files\GENERIC\Generic ChkMail\ChkMail.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3lsZSAgSGlja3M\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

_________________________________________________________________

And here's a spyware doctor report:

can Results:
scan start: 2/9/2007 4:21:59 PM
scan stop: 2/9/2007 4:51:46 PM
scanned items: 97309
found items: 468
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk
VSToolbar C:\Documents and Settings\Kyle Hicks\Application Data\SearchToolbarCorp Elevated
VSToolbar C:\Documents and Settings\Kyle Hicks\Application Data\SearchToolbarCorp\Toolbar Vision Elevated
VSToolbar C:\Documents and Settings\Kyle Hicks\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Elevated
VSToolbar C:\Documents and Settings\Kyle Hicks\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Elevated
Advertising C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@adlegend[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@bravenet[2].txt (Remnant) Low
Drive Cleaner C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@drivecleaner[1].txt Medium
Affiliated with Browser Hijackers C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@errorsafe[2].txt Elevated
Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@m.webtrends[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@netster[1].txt Low
Drive Cleaner C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@stats.drivecleaner[2].txt Medium
Advertising C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@winantispyware[2].txt Low
Known Bad Sites C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.amaena[2].txt High
Drive Cleaner C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.drivecleaner[1].txt Medium
Affiliated with Browser Hijackers C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.errorsafe[1].txt Elevated
Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.netster[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.netster[2].txt Low
Advertising C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.winantispyware[1].txt Low
Trojan.Popuper C:\Documents and Settings\Kyle Hicks\Favorites\online security test.url High
Network Monitor C:\Documents and Settings\LocalService\Application Data\NetMon High
Network Monitor C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt High
Network Monitor C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt High
Network Monitor C:\Program Files\Network Monitor High
Common Components for Dialers C:\WINDOWS\pcconfig.dat Elevated
Virtumonde C:\WINDOWS\system32\jkkli.dll Elevated
Trojan.Muquest.A C:\WINDOWS\system32\system.req.11 Medium
Instant Access C:\WINDOWS\tmlpcert2007 High
Virtumonde Explorer.EXE (C:\WINDOWS\system32\jkkli.dll) Elevated
Virtumonde FIREFOX.EXE (C:\WINDOWS\system32\jkkli.dll) Elevated
Weird On The Web HKCR\AppID\{4C0B0548-AE0B-4008-999D-DB33B8B2EB90} Medium
Weird On The Web HKCR\AppID\{4C0B0548-AE0B-4008-999D-DB33B8B2EB90}## Medium
Weird On The Web HKCR\AppID\{7911272A-A32A-404E-8A51-EE18B99B18C4} Medium
Weird On The Web HKCR\AppID\{7911272A-A32A-404E-8A51-EE18B99B18C4}## Medium
Weird On The Web HKCR\AppID\{99C4F93D-42A7-478D-8746-4AFB6C10BC26} Medium
Weird On The Web HKCR\AppID\{99C4F93D-42A7-478D-8746-4AFB6C10BC26}## Medium
Weird On The Web HKCR\AppID\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D} Medium
Weird On The Web HKCR\AppID\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}## Medium
Weird On The Web HKCR\AppID\AMNotifier.EXE Medium
Weird On The Web HKCR\AppID\AMNotifier.EXE## Medium
Weird On The Web HKCR\AppID\AMNotifier.EXE##AppID Medium
Weird On The Web HKCR\AppID\MPAgent.DLL Medium
Weird On The Web HKCR\AppID\MPAgent.DLL## Medium
Weird On The Web HKCR\AppID\MPAgent.DLL##AppID Medium
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D} High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}## High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32 High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32## High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32##ThreadingModel High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\ProgID High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\ProgID## High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\Programmable High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\Programmable## High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\TypeLib High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\TypeLib## High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\VersionIndependentProgID High
Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\VersionIndependentProgID## High
Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} High
Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}## High
Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32 High
Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32## High
Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32##ThreadingModel High
Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D} Elevated
Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}## Elevated
Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32 Elevated
Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32## Elevated
Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32##ThreadingModel Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738} Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}## Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\ProxyStubClsid Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\ProxyStubClsid## Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\ProxyStubClsid32 Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\ProxyStubClsid32## Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\TypeLib Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\TypeLib## Elevated
SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\TypeLib##Version Elevated
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482} High
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}## High
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\ProxyStubClsid High
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\ProxyStubClsid## High
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\ProxyStubClsid32 High
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\ProxyStubClsid32## High
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\TypeLib High
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\TypeLib## High
Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\TypeLib##Version High
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC} Medium
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}## Medium
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid Medium
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid## Medium
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid32 Medium
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid32## Medium
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\TypeLib Medium
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\TypeLib## Medium
Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\TypeLib##Version Medium
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738} Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}## Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0 Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0## Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\0 Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\0## Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\0\win32 Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\0\win32## Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\FLAGS Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\FLAGS## Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\HELPDIR Elevated
SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\HELPDIR## Elevated
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E} Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}## Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0 Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0## Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\0 Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\0## Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\0\win32 Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\0\win32## Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\FLAGS Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\FLAGS## Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\HELPDIR Medium
Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\HELPDIR## Medium
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047} High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}## High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0 High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0## High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\0 High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\0## High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\0\win32 High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\0\win32## High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\FLAGS High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\FLAGS## High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\HELPDIR High
Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\HELPDIR## High
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5} Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}## Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0 Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0## Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\0 Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\0## Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\0\win32 Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\0\win32## Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\FLAGS Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\FLAGS## Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\HELPDIR Medium
Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\HELPDIR## Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE} Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}## Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0 Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0## Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0 Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0## Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0\win32 Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0\win32## Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\FLAGS Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\FLAGS## Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\HELPDIR Medium
Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\HELPDIR## Medium
Trojan.Mailskinner HKCU\Software\exts High
Trojan.Mailskinner HKCU\Software\exts## High
Trojan.Mailskinner HKCU\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472} High
Trojan.Mailskinner HKCU\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}## High
Trojan.Mailskinner HKCU\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}##ft High
Trojan.Mailskinner HKCU\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}##rt High
Instant Access HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A High
Instant Access HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A## High
Instant Access HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A##Blob High
CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000} High
CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}## High
CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore High
CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore## High
CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore##Count High
CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore##Flags High
CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore##Time High
CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore##Type High
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03} Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}## Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore## Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore##Count Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore##Flags Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore##Time Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore##Type Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452} Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}## Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore## Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore##Count Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore##Flags Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore##Time Elevated
VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore##Type Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}## Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore## Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Blocked Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Count Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Flags Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Time Elevated
WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Type Elevated
Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D} Elevated
Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}## Elevated
Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore Elevated
Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore## Elevated
Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore##Count Elevated
Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore##Flags Elevated
Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore##Time Elevated
Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore##Type Elevated
Trojan.Mailskinner HKCU\Software\Microsoft\Windows\CurrentVersion\Run##MailSkinner High
VSToolbar HKCU\Software\Search Toolbar Corp Elevated
VSToolbar HKCU\Software\Search Toolbar Corp## Elevated
VSToolbar HKCU\Software\Search Toolbar Corp\Toolbar Vision Elevated
VSToolbar HKCU\Software\Search Toolbar Corp\Toolbar Vision## Elevated
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D} High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}## High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32 High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32## High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32##ThreadingModel High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\ProgID High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\ProgID## High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\Programmable High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\Programmable## High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\TypeLib High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\TypeLib## High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\VersionIndependentProgID High
Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\VersionIndependentProgID## High
Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} High
Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}## High
Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32 High
Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32## High
Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32##ThreadingModel High
Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D} Elevated
Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}## Elevated
Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32 Elevated
Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32## Elevated
Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32##ThreadingModel Elevated
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BPTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Data High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LID High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##MSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PID High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Rid High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV High
Virtumonde HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkli##DllName Elevated
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32 High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##Asynchronous High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##DllName High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##Impersonate High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##Shutdown High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##Startup High
Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8917B2A-5FEE-431D-A680-96F8C34E427D} Elevated
Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8917B2A-5FEE-431D-A680-96F8C34E427D}## Elevated
Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1044.dll High
Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1044.dll## High
Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1044.dll##.Owner High
Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1044.dll##{11F1D260-129E-4EB7-B37E-57E3D97A3DF1} High
Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1046.dll High
Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1046.dll## High
Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1046.dll##.Owner High
Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1046.dll##{D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} High
Common Components Unrelated HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run##svchost.exe Medium
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920} Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}## Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##Contact Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##DisplayName Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##DisplayVersion Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##NoModify Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##NoRemove Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##NoRepair Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##UninstallString Elevated
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE} High
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}## High
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##Contact High
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##DisplayName High
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##DisplayVersion High
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##NoModify High
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##NoRemove High
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##NoRepair High
Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##UninstallString High
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Policies##{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Policies##{645FF040-5081-101B-9F08-00AA002F954E} Elevated
I-Search Desktop Search Toolbar HKLM\SOFTWARE\Policies##{6BF52A52-394A-11D3-B153-00C04F79FAA6} Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##DisplayName Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##ErrorControl Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##ImagePath Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##ObjectName Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##Start Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##Type Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum##0 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum##Count Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Security Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Security## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Security##Security Elevated
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor## High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##DisplayName High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##ErrorControl High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##ImagePath High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##ObjectName High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##Start High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##Type High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum## High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum##0 High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum##Count High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum##NextInstance High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Security High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Security## High
Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Security##Security High
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##DisplayName Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##ErrorControl Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##ImagePath Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##ObjectName Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##Start Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##Type Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService\Security Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService\Security## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService\Security##Security Elevated
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor## High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##DisplayName High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##ErrorControl High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##ImagePath High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##ObjectName High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##Start High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##Type High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor\Security High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor\Security## High
Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor\Security##Security High
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC## High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC##NextInstance High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000 High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000## High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##Class High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##ClassGUID High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##ConfigFlags High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##DeviceDesc High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##Legacy High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##Service High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##DisplayName Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##ErrorControl Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##ImagePath Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##ObjectName Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##Start Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##Type Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##0 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##Count Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security##Security Elevated
Common Components Unrelated HKLM\SYSTEM\CurrentControlSet\Services\COM+ Messages##ImagePath Medium
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc## High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##Description High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##DisplayName High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##ErrorControl High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##ImagePath High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##ObjectName High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##Start High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##Type High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum## High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum##0 High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum##Count High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum##NextInstance High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Security High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Security## High
Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Security##Security High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##DisplayName High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##ErrorControl High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##ImagePath High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##ObjectName High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##Start High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##Type High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum##0 High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum##Count High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum##NextInstance High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security##Security High
Virtumonde iexplore.exe (C:\WINDOWS\system32\jkkli.dll)
_______________________________________________________________

Looks like a complete mess!

I've tried to run my computer in safe mode to run though a few steps I've seen in various threads, but it will not let me do anything in safe mode. I have a ton of pop ups that keep coming with various spyware removal programs and registry cleaners, and a pop up from "songset" that comes up any time I visit sites like msn, etc., offering free ring tones. My system overall is running extremely slow, and I especially notice it when typing in Microsoft Word, and things of that nature. If you could give me some help I would really appreciate it!

**Glaswegian** · 02-11-2007, 08:26 AM

Hi and welcome to TSF.

Let's see if we can restore a bit of normality first, then we'll tackle the rest.

Firstly, let's reset System Restore, so that we have something to fall back on, just in case.

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

This tool should be run in Normal Mode - it's very simple and fairly quick - just follow the instructions.

Please download combofix.exe to your desktop.

IMPORTANT - You must place combofix on your desktop!!

Double click combofix.exe & follow the prompts.

When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

One of your infections is hiding and we need to make it visible. So, before producing your next HijackThis Log, please follow these instructions:

I'd like you to rename HijackThis.exe (the actual .exe file itself) to glasgow.exe.

Navigate to C:\hjt\HijackThis.exe (or wherever HJT is located - if it's in a Temp file then move it))
Right click on HijackThis.exe
Select 'Rename'
Type in glasgow.exe
Press Enter.

Now run a scan and save a log as normal.

Please post back with c:\combofix.txt and a fresh, renamed HijackThis log.

christinelydia · 02-18-2007, 11:39 AM

Sorry it's taken me so long to reply, the virus completely took over my internet settings to where I haven't been able to even get online. I got Norton Anti Virus installed and it got rid of many of the viruses, but I guess they've taken over the registry to where they reload upon restart and now I can't even get a system scan completed with Norton. Also, I tried to run combo fix and this is the message I got:

"The tool, ComboFix has been temporarily withdrawn.

The author discovered a rootkit infection that will intefere with ComboFix's running.

This will cause Combofix to be UNSAFE FOR USE on your machine.

Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL

Apologies for any inconvenience caused"

Any other suggestions?

The virus' that I think causes the most problems are:

Trojan.Peacom
Trojan.vundo
and the w32blacmal

Thanks!
Christine

**Glaswegian** · 02-18-2007, 12:33 PM

Hi again

Sorry – it’s been a while since I posted to you so I’d assumed that you would have downloaded combofix already. Never mind – back to basics!

Firstly, I need a renamed HijackThis Log – then we can get to work. See my earlier post for instructions.

christinelydia · 02-18-2007, 01:49 PM

Here we go!:

Logfile of HijackThis v1.99.1
Scan saved at 3:47:35 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kyle Hicks\Desktop\hijackthis\Glasgow.exe

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/is...cannerCtrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3lsZSAgSGlja3M\command.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**Glaswegian** · 02-18-2007, 02:07 PM

Hi again

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt.

Download ComboScan to your Desktop.

Close all applications and windows.
Double-click on comboscan.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - ComboScan.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt back in this thread (do not attach it).
A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please attach Supplementary.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\ComboScan\Supplementary.txt
Click Upload.

Please reply with c:\vundo.txt, Comboscan.txt and attach the Supplementary file.

christinelydia · 02-18-2007, 03:45 PM

I downloaded vundofix to my desktop but my computer would not let me run it. The error signature is as follows:

AppName: vundofix.exe AppVer: 6.3.0.6 ModName: unknown
ModVer: 0.0.0.0 Offset: 0032083d

I went ahead and downloaded the vundo fix from symantec, here is the result:

Symantec Trojan.Vundo Removal Tool 1.5.0
The process "iexplore.exe" might be affected by the threat. It has been suspended.
The process "iexplore.exe" might be affected by the threat. It has been suspended.
The process "iexplore.exe" might be affected by the threat. It has been terminated.
The process "iexplore.exe" might be affected by the threat. It has been terminated.

C:\System Volume Information: (not scanned)

Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 41471
The number of deleted files: 0
The number of viral processes terminated: 2
The number of viral processes suspended: 2
The number of viral threads terminated: 0
The number of registry entries fixed: 0

Here is the combo scan result:

Combo Scan:

ComboScan v20070212.14 run by Kyle Hicks on 2007-02-18 at 17:35:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.

-- HijackThis log (run as Kyle Hicks.com) --------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:36:11 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kyle Hicks\Desktop\comboscan.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\KYLEHI~1\LOCALS~1\Temp\~hpckopa.tmp\Kyle Hicks.com

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/is...cannerCtrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3lsZSAgSGlja3M\command.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

-- HijackThis Fixed Entries (C:\Documents and Settings\Kyle Hicks\Desktop\hijackthis\backups\) --------------------------------------------------------------------------------

backup-20070204-174850-105 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20070204-174850-176 O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
backup-20070204-174850-710 O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
backup-20070204-174850-865 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
backup-20070204-174850-887 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
backup-20070204-174850-900 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
backup-20070204-174850-907 O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
backup-20070204-174850-977 O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
backup-20070204-174851-282 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20070204-174851-669 O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
backup-20070204-174851-680 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20070204-174851-986 O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp
backup-20070217-014137-302 O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
backup-20070217-014137-362 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
backup-20070217-014138-121 O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (file missing)
backup-20070217-014138-125 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20070217-014138-370 O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
backup-20070217-014138-377 O2 - BHO: (no name) - {CED2991B-0BCA-4D9D-ADDC-2C789D7C16A1} - C:\WINDOWS\system32\yaywuvv.dll (file missing)
backup-20070217-014138-435 O20 - Winlogon Notify: jkkli - C:\WINDOWS\system32\jkkli.dll (file missing)
backup-20070217-014138-535 O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
backup-20070217-014138-572 O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
backup-20070217-014138-608 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
backup-20070217-014138-708 O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
backup-20070217-014138-758 O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
backup-20070217-014138-862 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
backup-20070217-014138-936 O2 - BHO: (no name) - {9B98D3DF-405C-4F33-8D49-587DEAAAE75B} - C:\WINDOWS\system32\jkkli.dll (file missing)
backup-20070217-014138-965 O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\livwgchk.dll (file missing)
backup-20070217-014139-636 O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
backup-20070217-014139-700 O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
backup-20070217-014139-971 O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
backup-20070217-014139-993 O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
backup-20070217-014334-546 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
backup-20070217-014408-117 R3 - Default URLSearchHook is missing
backup-20070217-014408-764 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070217-014408-882 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070217-014408-931 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20070217-014601-541 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070217-014705-675 O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
backup-20070217-014738-664 O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
backup-20070217-014738-777 O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
backup-20070217-014738-958 O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
backup-20070217-014839-256 O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
backup-20070217-014902-337 O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
backup-20070217-014912-436 O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

0 ACPIEC (Microsoft Embedded Controller Driver) - system32\DRIVERS\ACPIEC.sys
2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.0.0.5) - system32\DRIVERS\AegisP.sys
3 ALCXSENS (Service for WDM 3D Audio Driver) - system32\drivers\ALCXSENS.SYS
3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - system32\drivers\ALCXWDM.SYS
3 Arp1394 (1394 ARP Client Protocol) - system32\DRIVERS\arp1394.sys
3 ATKXPDisplayName - system32\DRIVERS\ATKACPI.sys
3 Cam5603C (BisonCam, USB2.0) - System32\Drivers\Bs350u2.sys
3 CCDECODE (Closed Caption Decoder) - system32\DRIVERS\CCDECODE.sys
1 eeCtrl (Symantec Eraser Control driver) - \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
3 EraserUtilRebootDrv - \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
3 gv3 (Intel GV3 Processor Driver) - system32\DRIVERS\gv3.sys
3 HidUsb (Microsoft HID Class Driver) - system32\DRIVERS\hidusb.sys
3 HPZid412 (IEEE-1284.4 Driver HPZid412) - system32\DRIVERS\HPZid412.sys
3 HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - system32\DRIVERS\HPZipr12.sys
3 HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - system32\DRIVERS\HPZius12.sys
3 HSFHWICH - system32\DRIVERS\HSFHWICH.sys
3 HSF_DP - system32\DRIVERS\HSF_DP.sys
1 huy32 (Win23 lzx files loader) - \??\C:\WINDOWS\system32:huy32.sys
3 ialm - system32\DRIVERS\ialmnt5.sys
1 ikhfile (File Security Kernel Anti-Spyware Driver) - system32\drivers\ikhfile.sys
1 ikhlayer (Kernel Anti-Spyware Driver) - system32\drivers\ikhlayer.sys
1 intelppm (Intel Processor Driver) - system32\DRIVERS\intelppm.sys
2 irda (IrDA Protocol) - system32\DRIVERS\irda.sys
3 irsir (Microsoft Serial Infrared Driver) - system32\DRIVERS\irsir.sys
4 mchInjDrv - \??\C:\WINDOWS\TEMP\mc21.tmp
2 mdmxsdk - system32\DRIVERS\mdmxsdk.sys
3 mouhid (Mouse HID Driver) - system32\DRIVERS\mouhid.sys
3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - system32\drivers\MSTEE.sys
3 NABTSFEC (NABTS/FEC VBI Codec) - system32\DRIVERS\NABTSFEC.sys
3 NAVENG - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070218.016\NAVENG.Sys
3 NAVEX15 - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070218.016\NavEx15.Sys
3 NdisIP (Microsoft TV/Video Connection) - system32\DRIVERS\NdisIP.sys
3 NIC1394 (1394 Net Driver) - system32\DRIVERS\nic1394.sys
3 nm (Network Monitor Driver) - system32\DRIVERS\NMnt.sys
2 NwlnkIpx (NWLink IPX/SPX/NetBIOS Compatible Transport Protocol) - system32\DRIVERS\nwlnkipx.sys
2 NwlnkNb (NWLink NetBIOS) - system32\DRIVERS\nwlnknb.sys
2 NwlnkSpx (NWLink SPX/SPXII Protocol) - system32\DRIVERS\nwlnkspx.sys
3 NWRDR (NetWare Rdr) - system32\DRIVERS\nwrdr.sys
0 ohci1394 (OHCI Compliant IEEE 1394 Host Controller) - system32\DRIVERS\ohci1394.sys
0 PCIIde - system32\DRIVERS\pciide.sys
0 Pcmcia - system32\DRIVERS\pcmcia.sys
3 Rasirda (WAN Miniport (IrDA)) - system32\DRIVERS\rasirda.sys
3 RIOUNIV (Rio universal USB driver) - System32\Drivers\RIOUNIV.sys
3 RTL8023xp (Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver) - system32\DRIVERS\Rtlnicxp.sys
3 rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - system32\DRIVERS\RTL8139.SYS
2 s24trans (WLAN Transport) - system32\DRIVERS\s24trans.sys
1 SAVRT - \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS
1 SAVRTPEL - \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS
3 Sfloppy (High-Capacity Floppy Disk Drive) - system32\DRIVERS\sfloppy.sys
3 SLIP (BDA Slip De-Framer) - system32\DRIVERS\SLIP.sys
1 SPBBCDrv - \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
3 StillCam (Still Serial Digital Camera Driver) - system32\DRIVERS\serscan.sys
3 streamip (BDA IPSink) - system32\DRIVERS\StreamIP.sys
3 SYMDNS - \SystemRoot\System32\Drivers\SYMDNS.SYS
3 SymEvent - \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
3 SYMFW - \SystemRoot\System32\Drivers\SYMFW.SYS
3 SYMIDS - \SystemRoot\System32\Drivers\SYMIDS.SYS
3 SYMIDSCO - \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20070214.003\symidsco.sys
2 symlcbrd - \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
3 SYMNDIS - \SystemRoot\System32\Drivers\SYMNDIS.SYS
3 SYMREDRV - \SystemRoot\System32\Drivers\SYMREDRV.SYS
1 SYMTDI - \SystemRoot\System32\Drivers\SYMTDI.SYS
3 SynTP (Synaptics TouchPad Driver) - system32\DRIVERS\SynTP.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - system32\DRIVERS\usbccgp.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - system32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - system32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - system32\DRIVERS\usbscan.sys
3 USBSTOR (USB Mass Storage Driver) - system32\DRIVERS\USBSTOR.SYS
3 Video3D (ASUS Video3D Service) - System32\Drivers\Video3D.sys
3 w22n51 (Intel(R) PRO/Wireless 2200 Adapter Driver for Windows XP) - system32\DRIVERS\w22n51.sys
3 winachsf - system32\DRIVERS\HSF_CNXT.sys
3 WSTCODEC (World Standard Teletext Codec) - system32\DRIVERS\WSTCODEC.SYS

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

4 Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2 Automatic LiveUpdate Scheduler - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
2 ccEvtMgr (Symantec Event Manager) - "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
2 ccSetMgr (Symantec Settings Manager) - "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
2 cmdService (Command Service) - C:\WINDOWS\S3lsZSAgSGlja3M\command.exe
4 COM+ Messages - "C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272
2 Irmon (Infrared Monitor) - %SystemRoot%\system32\svchost.exe -k netsvcs
3 LiveUpdate - "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
2 MDM (Machine Debug Manager) - "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
2 MsaSvc (Microsoft authenticate service) - C:\WINDOWS\system32\msasvc.exe
2 navapsvc (Norton AntiVirus Auto-Protect Service) - "C:\Program Files\Norton AntiVirus\navapsvc.exe"
4 Network Monitor - C:\Program Files\Network Monitor\netmon.exe service
2 NPFMntor (Norton AntiVirus Firewall Monitor Service) - "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"
3 NSCService (Norton Protection Center Service) - "C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE"
2 NWCWorkstation (Client Service for NetWare) - %SystemRoot%\system32\svchost.exe -k netsvcs
3 ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
4 Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe
4 RegSrvc - C:\WINDOWS\system32\RegSrvc.exe
2 S24EventMonitor (Spectrum24 Event Monitor) - C:\WINDOWS\system32\S24EvMon.exe
3 SAVScan (Symantec AVScan) - "C:\Program Files\Norton AntiVirus\SAVScan.exe"
2 SDhelper (PC Tools Spyware Doctor) - C:\Program Files\Spyware Doctor\sdhelp.exe
2 SNDSrvc (Symantec Network Drivers Service) - "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
2 SPBBCSvc - "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"
2 Symantec Core LC - "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
2 UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe

-- Scheduled Tasks --------------------------------------------------------------

2007-02-14 09:40:08 542 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Kyle Hicks.job<NORTON~1.JOB>

-- Files created between 2007-01-18 and 2007-02-18 ------------------------------

2007-02-18 15:03:31 0 d-------- C:\WINDOWS\LastGood
2007-02-14 17:14:03 1046592 ---hs---- C:\WINDOWS\system32\ilkkj.ini2<ILKKJ~1.INI>
2007-02-14 11:58:16 23040 --a------ C:\WINDOWS\system32\mszsrn32.dll<Unsigned: n/a>
2007-02-14 09:37:54 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Symantec
2007-02-14 09:27:52 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1>
2007-02-14 09:27:22 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys<Signed: Symantec Corporation>
2007-02-14 09:27:11 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL<Signed: Symantec Corporation>
2007-02-14 09:27:11 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS<Signed: Symantec Corporation>
2007-02-14 09:26:21 0 d-------- C:\Program Files\Symantec
2007-02-14 09:26:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-02-14 09:25:57 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-12 15:42:26 86016 --a------ C:\WINDOWS\unvise32.exe<Unsigned: MindVision Software>
2007-02-12 15:41:52 0 d-------- C:\Program Files\The Princeton Review<THEPRI~1>
2007-02-09 16:19:41 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-02-09 16:19:35 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys<Unsigned: PCTools Research Pty Ltd.>
2007-02-09 16:19:33 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys<Unsigned: PCTools Research Pty Ltd.>
2007-02-09 16:18:48 0 d-------- C:\Program Files\Spyware Doctor<SPYWAR~1>
2007-02-09 16:18:48 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\PC Tools<PCTOOL~1>
2007-02-08 20

55 0 d-------- C:\WINDOWS\BDOSCAN8
2007-02-08 00:12:48 0 d-------- C:\WINDOWS\SxsCaPendDel<SXSCAP~1>
2007-02-07 23:27:08 9136 --a------ C:\WINDOWS\system\INETWH16.DLL<Unsigned: n/a>
2007-02-07 23:27:07 177216 --a------ C:\WINDOWS\system\TYPELIB.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:27:07 14128 --a------ C:\WINDOWS\system\TOOLHELP.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:27:07 157696 --a------ C:\WINDOWS\system\STORAGE.DLL<Unsigned: n/a>
2007-02-07 23:27:04 51712 --a------ C:\WINDOWS\system\OLE2PROX.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:27:02 164832 --a------ C:\WINDOWS\system\OLE2DISP.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:27:02 57328 --a------ C:\WINDOWS\system\OLE2CONV.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:27:02 27026 --a------ C:\WINDOWS\system\OLE2.REG
2007-02-07 23:27:01 302592 --a------ C:\WINDOWS\system\OLE2.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:27:01 146976 --a------ C:\WINDOWS\system\MFCOLEUI.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:27:00 125856 --a------ C:\WINDOWS\system\MFCO250.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:26:59 322384 --a------ C:\WINDOWS\system\MFC250.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:26:59 36864 --a------ C:\WINDOWS\system\DDEML.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:26:58 108544 --a------ C:\WINDOWS\system\COMPOBJ.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:26:57 150976 --a------ C:\WINDOWS\system\OLE2NLS.DLL<Unsigned: Microsoft Corporation>
2007-02-07 23:26:15 0 d-------- C:\Program Files\ETS
2007-02-07 11:37:31 0 d-------- C:\Program Files\RegistryCleaner<REGIST~1>
2007-02-07 11:37:28 620129 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe<REGIST~1.EXE><Unsigned: n/a>
2007-02-05 08:40:37 3408 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-04 17:11:47 79360 --a------ C:\WINDOWS\system32\swxcacls.exe<Unsigned: SteelWerX>
2007-02-04 17:11:46 40960 --a------ C:\WINDOWS\system32\swsc.exe<Unsigned: n/a>
2007-02-04 17:11:46 135168 --a------ C:\WINDOWS\system32\swreg.exe<Unsigned: SteelWerX>
2007-02-04 17:11:46 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe<Unsigned: S!Ri>
2007-02-04 17:11:46 53248 --a------ C:\WINDOWS\system32\Process.exe<Unsigned: http://www.beyondlogic.org>
2007-02-04 17:11:46 51200 --a------ C:\WINDOWS\system32\dumphive.exe<Unsigned: n/a>
2007-02-04 13:15:49 0 d--hs---- C:\found.000
2007-02-03 18:54:46 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Google
2007-02-03 18:54:46 0 d-------- C:\Documents and Settings\Friend\Application Data\Google
2007-02-03 18:54:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-02-02 18:12:30 7864320 -----n--- C:\Documents and Settings\Kyle Hicks\ntuser.dat
2007-01-30 14:53:46 0 d-------- C:\WINDOWS\Registration<REGIST~1>
2007-01-30 12:33:53 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Uniblue
2007-01-29 17:01:49 1027762 ---hs---- C:\WINDOWS\system32\ilkkj.bak2<ILKKJ~2.BAK>
2007-01-28 17:41:08 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\AVG7
2007-01-28 17:40:18 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-01-28 17:32:44 0 d-------- C:\Program Files\Grisoft
2007-01-28 17:20:18 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-01-28 17:20:10 0 d--hs---- C:\WINDOWS\S3lsZSAgSGlja3M<S3LSZS~1>
2007-01-28 17:01:39 1010437 ---hs---- C:\WINDOWS\system32\ilkkj.bak1<ILKKJ~1.BAK>
2007-01-28 11:45:04 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-01-26 02:53:27 1351680 --a------ C:\WINDOWS\system32\RIOWMSP.DLL<Unsigned: Digital Networks North America, Inc.>
2007-01-26 02:47:37 16128 --a------ C:\WINDOWS\system32\drivers\RIOUNIV.SYS<Signed: Digital Networks North America, Inc.>
2007-01-26 02:47:37 0 d-------- C:\RioDrivers<RIODRI~1>
2007-01-25 23:26:21 0 d-------- C:\Program Files\Real
2007-01-25 23:26:21 0 d-------- C:\Program Files\Common Files\Real
2007-01-25 23:25:42 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Real
2007-01-25 09:28:41 0 d-------- C:\WINDOWS\system32\NtmsData
2007-01-24 02:42:32 69632 --a------ C:\WINDOWS\system32\lfgif13n.dll<Unsigned: LEAD Technologies, Inc.>
2007-01-24 02:42:31 462848 --a------ C:\WINDOWS\system32\ltkrn13n.dll<Unsigned: LEAD Technologies, Inc.>
2007-01-24 02:42:31 450560 --a------ C:\WINDOWS\system32\ltimg13n.dll<Unsigned: LEAD Technologies, Inc.>
2007-01-24 02:42:31 163840 --a------ C:\WINDOWS\system32\ltfil13n.dll<Unsigned: LEAD Technologies, Inc.>
2007-01-24 02:42:31 206336 --a------ C:\WINDOWS\system32\ltefx13n.dll<Unsigned: LEAD Technologies, Inc.>
2007-01-24 02:42:31 299008 --a------ C:\WINDOWS\system32\ltdis13n.dll<Unsigned: LEAD Technologies, Inc.>
2007-01-24 02:42:31 401408 --a------ C:\WINDOWS\system32\lfcmp13n.dll<Unsigned: LEAD Technologies, Inc.>
2007-01-24 02:42:31 57344 --a------ C:\WINDOWS\system32\lfbmp13n.dll<Unsigned: LEAD Technologies, Inc.>
2007-01-24 02:23:36 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\WinRAR
2007-01-22 11:52:59 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-01-22 11:44:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-01-19 12:05:05 1168 --a------ C:\WINDOWS\mozver.dat
2007-01-19 10:50:55 0 d-------- C:\WINDOWS\Sun
2007-01-19 10:50:54 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Sun

-- Find3M Report ----------------------------------------------------------------

2007-02-15 23:07:25 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-05 15:12:22 0 d-------- C:\Program Files\Common Files\Adobe
2007-01-30 15:00:32 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Adobe
2007-01-21 17:18:35 0 d-------- C:\Program Files\Yahoo!
2007-01-21 17:18:34 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Yahoo!
2007-01-21 17:17:16 0 d-------- C:\Program Files\GENERIC
2007-01-20 18

39 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Lavasoft
2007-01-17 00:36:22 0 d-------- C:\Documents and Settings\Kyle Hicks\Application Data\Mozilla
2007-01-14 14:52:32 0 d-------- C:\Program Files\Online Services<ONLINE~1>
2007-01-14 12:07:09 0 d-------- C:\Program Files\QuickTime<QUICKT~1>

-- Registry Dump ----------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Power_Gear"="C:\\Program Files\\GENERIC\\Power4 Gear\\BatteryLife.exe 1"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe"
"SoundMan"="SOUNDMAN.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CED2991B-0BCA-4D9D-ADDC-2C789D7C16A1}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

-- End of ComboScan: finished at 2007-02-18 at 17:37:00 -------------------------

The supplementary file is attached. Thanks!
Christine

christinelydia · 02-18-2007, 04:19 PM

I forgot I had a log of the threat risks Norton Antivirus found a few days ago as well, don't know if it'll help:

Category: Security risks
Date Time,Feature,Risk Name,Result,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
2/14/2007 6:54:31 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\E3BBD1F5.exe,Action taken: Automatically deleted"
2/14/2007 6:54:31 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F8TN4YOW\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 6:46:35 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 6:43:19 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\B3A5308C.exe,Action taken: Automatically deleted"
2/14/2007 6:43:19 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QWGWW3G7\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 6:38:38 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 6:32:07 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\802A9F51.exe,Action taken: Automatically deleted"
2/14/2007 6:32:07 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F8TN4YOW\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 6:21:07 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 6:20:34 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\872E2D17.exe,Action taken: Automatically deleted"
2/14/2007 6:20:34 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QWGWW3G7\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 6:18:12 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 6:09:42 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\EAAD0543.exe,Action taken: Automatically deleted"
2/14/2007 6:09:42 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.6.0.1,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F8TN4YOW\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 6:01:41 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 5:59:00 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\1AAEB730.exe,Action taken: Automatically deleted"
2/14/2007 5:59:00 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QWGWW3G7\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 5:49:06 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\DD40F018.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\DA2DB01F.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\DF037C0D.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\CAC088DB.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\1381A6E7.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\9A23E8F7.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\1ED88306.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\1023FC33.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\71B99F09.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\C6A53784.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\B547CA52.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\4F422767.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\43FCB0BD.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\WINDOWS\Temp\094D00F0.exe - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QWGWW3G7\install[2].htm - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,W32.Banwarum@mm,Deleted,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Deleted,Description: Affected areas: 1 Files: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QWGWW3G7\install[1].htm - Deleted "
2/14/2007 5:48:56 PM,Virus scanner,Trojan.Vundo,Quarantined,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Quarantined,Description: Affected areas: 1 Files: c:\WINDOWS\system32\jkkli.dll - Reboot required 113 Registry keys: HKEY_CLASSES_ROOT\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_CLASSES_ROOT\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_CLASSES_ROOT\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_CLASSES_ROOT\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Reboot required HKEY_CLASSES_ROOT\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_CLASSES_ROOT\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Reboot required HKEY_CLASSES_ROOT\CLSID\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Reboot required HKEY_CLASSES_ROOT\CLSID\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_CLASSES_ROOT\MSEvents.MSEvents - Reboot required HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 - Reboot required HKEY_CLASSES_ROOT\IEpl.IEpl - Reboot required HKEY_CLASSES_ROOT\IEpl.IEPl.1 - Reboot required HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater - Reboot required HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1 - Reboot required HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib - Reboot required HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1 - Reboot required HKEY_CLASSES_ROOT\RawExecAction.RawExecAction - Reboot required HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1 - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Reboot required HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd - Reboot required HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Reboot required HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkli - Reboot required HKEY_CLASSES_ROOT\CLSID\{9B98D3DF-405C-4F33-8D49-587DEAAAE75B} - Reboot required HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B98D3DF-405C-4F33-8D49-587DEAAAE75B} - Reboot required 1 Additional areas: Unknown - Deleted "
2/14/2007 5:48:08 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\6C0E6B80.exe,Action taken: Automatically deleted"
2/14/2007 5:48:08 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F8TN4YOW\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 5:43:53 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 5:37:17 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\05FDC715.exe,Action taken: Automatically deleted"
2/14/2007 5:37:17 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QWGWW3G7\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 5:29:34 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 5:26:06 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\AA483F3E.exe,Action taken: Automatically deleted"
2/14/2007 5:26:06 PM,Auto-Protect,W32.Banwarum@mm,Access denied,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\F8TN4YOW\install[1].htm,Action taken: Repair failed,Action taken: Access denied"
2/14/2007 5:17:28 PM,Virus scanner,W32.Banwarum@mm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Additional areas: Unknown - Deleted "
2/14/2007 5:15:15 PM,Auto-Protect,W32.Banwarum@mm,Automatically deleted,File,N/A,N/A,200702140020,12.2.0.13,SYSTEM,KYLE,"Source: C:\WINDOWS\TEMP\4E6E3C7C.exe,Action taken: Automatically deleted"
2/14/2007 5:14:47 PM,Virus scanner,Trojan.Vundo,Quarantined,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Quarantined,Description: Affected areas: 1 Files: c:\WINDOWS\system32\jkkli.dll - Reboot required 1 Processes: C:\Program Files\Internet Explorer\iexplore.exe - Terminated 113 Registry keys: HKEY_CLASSES_ROOT\CLSID\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_CLASSES_ROOT\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_CLASSES_ROOT\CLSID\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_CLASSES_ROOT\CLSID\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Reboot required HKEY_CLASSES_ROOT\CLSID\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_CLASSES_ROOT\CLSID\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Reboot required HKEY_CLASSES_ROOT\CLSID\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Reboot required HKEY_CLASSES_ROOT\CLSID\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_CLASSES_ROOT\MSEvents.MSEvents - Reboot required HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 - Reboot required HKEY_CLASSES_ROOT\IEpl.IEpl - Reboot required HKEY_CLASSES_ROOT\IEpl.IEPl.1 - Reboot required HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater - Reboot required HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1 - Reboot required HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib - Reboot required HKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1 - Reboot required HKEY_CLASSES_ROOT\RawExecAction.RawExecAction - Reboot required HKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1 - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A5F7B7-DC75-44CE-9195-264F41709FA9} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60} - Reboot required HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0612F71E-934B-4D92-B8E8-2E29EA78EB03} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3FE36807-69ED-45D1-B9BE-85C0E3F75B6A} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{827DC836-DD9F-A602-5812EB50A834} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FC148228-87E1-4D00-AC06-58DCAA52A4D1} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18898424-E3AB-4BA9-8E8D-5434B1CECA75} - Reboot required HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-500\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\S-1-5-19\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1004\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\S-1-5-21-1555576864-2154702590-596957751-1007\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\S-1-5-20\Software\Microsoft\SysUpd - Reboot required HKEY_USERS\.DEFAULT\Software\Microsoft\SysUpd - Reboot required HKEY_CLASSES_ROOT\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - Reboot required HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - Reboot required HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkli - Reboot required HKEY_CLASSES_ROOT\CLSID\{9B98D3DF-405C-4F33-8D49-587DEAAAE75B} - Reboot required HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B98D3DF-405C-4F33-8D49-587DEAAAE75B} - Reboot required 1 Additional areas: Unknown - Deleted "
2/14/2007 5:14:47 PM,Virus scanner,Trojan.Peacomm,Repaired,File,N/A,N/A,200702140020,12.6.0.1,Kyle Hicks,KYLE,"Source: Manual Scanner,Risk category: Virus,Action taken: Repaired,Description: Affected areas: 1 Files: C:\WINDOWS\system32\wincom32.ini - Deleted 1 Registry keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32 - No action required 1 Services: wincom32 - Reboot required "

**Glaswegian** · 02-19-2007, 01:01 PM

Hi again

Please don’t post any logs unless I specifically ask for them – thanks.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware.

Please download the Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download the Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet!

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

File Deletions
Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\mszsrn32.dll

Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run AVG Anti Spyware
Run AVG with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

NOTE: AVG scan may require an hour.

Run the Brute Force Uninstaller
Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal Windows.

Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Logs required
AVG Log
Panda Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode.

christinelydia · 02-20-2007, 11:28 AM

AVG LOG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:05:00 AM 2/20/2007

+ Scan result:

C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP2\A0004388.dll -> Worm.Banwarum.n : No action taken.

::Report end

HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 1:17:57 PM, on 2/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Documents and Settings\Kyle Hicks\Desktop\hijackthis\Glasgow.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/is...cannerCtrl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

My computer would not let me access the pandasoftware scan. I tried in both internet explorer and Mozilla and both said the page could not be accessed. I was doing it simutaneously on a desktop and everything worked fine, so not sure why my laptop won't let me? The system seems to be performing fine, but it usually does until I restart it, so hopefully it continues! Thanks.

**Glaswegian** · 02-20-2007, 01:50 PM

Hi again

Looks good. Let’s try and get at least one online scan – choose any one of these and post back with any log produced and a fresh HijackThis Log.

http://housecall.trendmicro.com/ <- - you can use Firefox for this scanner
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.bitdefender.com/scan8/ie.html
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym

christinelydia · 02-21-2007, 07:10 AM

BitDefender Online Scanner

Scan report generated at: Tue, Feb 20, 2007 - 20:59:06

Scan path: C:\;D:\;

Statistics

Time

00:58:44

Files

457456

Folders

4305

Boot Sectors

2

Archives

1882

Packed Files

66788

Results

Identified Viruses

2

Infected Files

4

Suspect Files

5

Warnings

0

Disinfected

0

Deleted Files

10

Engines Info

Virus Definitions

389199

Engine build

AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins

14

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62883063.dll=>(Quarantine-2)

Infected with: Win32.Banwarum.N@mm

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62883063.dll=>(Quarantine-2)

Deleted

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{13B04944-0AA4-42D3-80C7-88861BDA42AB}

Infected with: Trojan.QHosts.AF

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{13B04944-0AA4-42D3-80C7-88861BDA42AB}

Disinfection failed

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{13B04944-0AA4-42D3-80C7-88861BDA42AB}

Deleted

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{15E9A894-75C2-4979-9419-16BB1310A72B}

Suspected of: Trojan.QHosts.AF

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{15E9A894-75C2-4979-9419-16BB1310A72B}

Disinfection failed

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{15E9A894-75C2-4979-9419-16BB1310A72B}

Deleted

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{16B041D2-F47A-4707-805C-D08B9D445349}

Suspected of: Trojan.QHosts.AF

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{16B041D2-F47A-4707-805C-D08B9D445349}

Disinfection failed

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{16B041D2-F47A-4707-805C-D08B9D445349}

Deleted

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1E25C7C1-4FE6-4542-83A0-CD189CDE6F74}

Infected with: Trojan.QHosts.AF

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1E25C7C1-4FE6-4542-83A0-CD189CDE6F74}

Disinfection failed

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1E25C7C1-4FE6-4542-83A0-CD189CDE6F74}

Deleted

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{74EEB8AD-C69F-4007-966B-7CA64925C257}

Suspected of: Trojan.QHosts.AF

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{74EEB8AD-C69F-4007-966B-7CA64925C257}

Disinfection failed

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{74EEB8AD-C69F-4007-966B-7CA64925C257}

Deleted

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8241BCB7-BD2B-4C9B-BE73-0AA65878ABC3}

Infected with: Trojan.QHosts.AF

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8241BCB7-BD2B-4C9B-BE73-0AA65878ABC3}

Disinfection failed

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8241BCB7-BD2B-4C9B-BE73-0AA65878ABC3}

Deleted

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A881266F-01B2-453C-9DF3-EAC064871219}

Suspected of: Trojan.QHosts.AF

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A881266F-01B2-453C-9DF3-EAC064871219}

Disinfection failed

C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A881266F-01B2-453C-9DF3-EAC064871219}

Deleted

C:\WINDOWS\system32\drivers\etc\hosts

Suspected of: Trojan.QHosts.AF

C:\WINDOWS\system32\drivers\etc\hosts

Disinfection failed

C:\WINDOWS\system32\drivers\etc\hosts

Deleted

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:13:00 AM 2/21/2007

+ Scan result:

C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

McAfee FreeScan has detected 3 files on your computer!
Your personal information might be vulnerable to exposure or corruption.
Your computer might transmit possible threats to friends, family, and co-workers.
Get immediate protection with McAfee VirusScan. Buy Now! Learn More...

Important: If you disabled your anti-virus software, please re-enable it now.
Scan Location
Drive C My Documents Windows Files
Scan Status
Files Scanned: 38692
Files Detected: 3
Information: Scanning completed!

List of Detected Files
File Name Threat Name
C:\Documents and Settings\...\Process.exe PrcViewer
C:\Documents and Settings\...\SmitfraudFix.exe PrcViewer
C:\WINDOWS\system32\Process.exe PrcViewer

Logfile of HijackThis v1.99.1
Scan saved at 9:10:26 AM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Kyle Hicks\Desktop\hijackthis\Glasgow.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/is...cannerCtrl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**Glaswegian** · 02-21-2007, 01:08 PM

Hi again

Not as bad as it looks. McAfee calls one of our tools suspect, but I can assure you it’s not. One of the things the tool does is shutdown certain applications before cleaning and it’s the shutdown process that rings the alarm bells.

Clear Windows Defender - go to Tools > Quarantined Items and Remove All.

Other than that your log is clean. Any more problems? If not we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and there is therefore no need to keep them.

Reset Hidden/System Files
To reset your hidden and system files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

System Restore
To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

Ad-aware
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are three very good free Antivirus products which are available:
BitDefender Free
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

02-09-2007, 03:08 PM	#1 (permalink)
christinelydia Registered User Join Date: Feb 2007 Posts: 13 OS: Windows XP Professional	Where to begin? I have been having all sorts of problems with my computer, and it just seems to be getting worse. I apologize if I'm not posting this in the right spot, but I honestly don't know where to start because there seems to be a variety of issues, and I don't know where they are all stemming from. I know I have a trojan virus because I have AVG on my computer and the system scan seems to pick up 1 or 2 everytime I run it. My computer has been shutting down unexpectedly, amongst other issues. I have tried to update my operating system, but the computer shut down in the middle of it. I have also tried to do a McAfee Scan, but it would not load. The following is what I was able to come up with: Here is a bitdefender report I got yesterday: BitDefender Online Scanner Scan report generated at: Thu, Feb 08, 2007 - 21:52:02 Scan path: C:\;D:\; Statistics Time 01:43:22 Files 477078 Folders 4759 Boot Sectors 2 Archives 2047 Packed Files 69024 Results Identified Viruses 6 Infected Files 10 Suspect Files 2 Warnings 0 Disinfected 0 Deleted Files 10 Engines Info Virus Definitions 419487 Engine build AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42) Scan plugins 14 Archive plugins 38 Unpack plugins 6 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions ; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\$VAULT$.AVG\05282531.FIL Infected with: Trojan.SpySheriff.C C:\$VAULT$.AVG\05282531.FIL Disinfection failed C:\$VAULT$.AVG\05282531.FIL Deleted C:\$VAULT$.AVG\42130297.FIL Infected with: Exploit.Win32.WMF-PFV.C C:\$VAULT$.AVG\42130297.FIL Disinfection failed C:\$VAULT$.AVG\42130297.FIL Deleted C:\$VAULT$.AVG\61658765.FIL Infected with: Trojan.SpySheriff.C C:\$VAULT$.AVG\61658765.FIL Disinfection failed C:\$VAULT$.AVG\61658765.FIL Deleted C:\$VAULT$.AVG\83043546.FIL Infected with: Trojan.SpySheriff.C C:\$VAULT$.AVG\83043546.FIL Disinfection failed C:\$VAULT$.AVG\83043546.FIL Deleted C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP354\A0064445.exe Suspected of: BehavesLike:Trojan.Downloader C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP354\A0064445.exe Disinfection failed C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP354\A0064445.exe Deleted C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP369\A0071497.exe=>(NSIS o)=>zlib_nsis0001 Suspected of: BehavesLike:Trojan.Downloader C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP369\A0071497.exe=>(NSIS o)=>zlib_nsis0001 Disinfection failed C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP369\A0071497.exe=>(NSIS o)=>zlib_nsis0001 Deleted C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP369\A0071497.exe=>(NSIS o) Update failed C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP388\A0079344.exe Infected with: Backdoor.Agent.SO C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP388\A0079344.exe Disinfection failed C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP388\A0079344.exe Deleted C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP390\A0079751.dll Infected with: Trojan.Juan.E C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP390\A0079751.dll Disinfection failed C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP390\A0079751.dll Deleted C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP391\A0079787.dll Infected with: Trojan.Juan.E C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP391\A0079787.dll Disinfection failed C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP391\A0079787.dll Deleted C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP395\A0082125.exe Infected with: Trojan.Dropper.EP C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP395\A0082125.exe Disinfection failed C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP395\A0082125.exe Deleted C:\WINDOWS\system32\jkkli.dll Infected with: MemScan:Trojan.Vundo.W C:\WINDOWS\system32\jkkli.dll Disinfection failed C:\WINDOWS\system32\jkkli.dll Delete failed C:\WINDOWS\system32\livwgchk.dll Infected with: Trojan.Juan.E C:\WINDOWS\system32\livwgchk.dll Disinfection failed C:\WINDOWS\system32\livwgchk.dll Delete failed _________________________________________________________________ Here is a logfile from HijackThis Logfile of HijackThis v1.99.1 Scan saved at 4:31:04 PM, on 2/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\1XConfig.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\GENERIC\Generic ChkMail\ChkMail.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Documents and Settings\Kyle Hicks\Local Settings\Temp\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [BisonCom] C:\WINDOWS\VdCap03C\BisonCom O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\uqgkxtim.dll",setvm O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Generic ChkMail.lnk = C:\Program Files\GENERIC\Generic ChkMail\ChkMail.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3lsZSAgSGlja3M\command.exe (file missing) O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing) O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe _________________________________________________________________ And here's a spyware doctor report: can Results: scan start: 2/9/2007 4:21:59 PM scan stop: 2/9/2007 4:51:46 PM scanned items: 97309 found items: 468 found and ignored: 0 tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner Infection Name Location Risk VSToolbar C:\Documents and Settings\Kyle Hicks\Application Data\SearchToolbarCorp Elevated VSToolbar C:\Documents and Settings\Kyle Hicks\Application Data\SearchToolbarCorp\Toolbar Vision Elevated VSToolbar C:\Documents and Settings\Kyle Hicks\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Elevated VSToolbar C:\Documents and Settings\Kyle Hicks\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Elevated Advertising C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@adlegend[2].txt Low Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@bravenet[2].txt (Remnant) Low Drive Cleaner C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@drivecleaner[1].txt Medium Affiliated with Browser Hijackers C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@errorsafe[2].txt Elevated Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@m.webtrends[2].txt Low Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@netster[1].txt Low Drive Cleaner C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@stats.drivecleaner[2].txt Medium Advertising C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@winantispyware[2].txt Low Known Bad Sites C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.amaena[2].txt High Drive Cleaner C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.drivecleaner[1].txt Medium Affiliated with Browser Hijackers C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.errorsafe[1].txt Elevated Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.netster[1].txt Low Tracking Cookie(s) C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.netster[2].txt Low Advertising C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@www.winantispyware[1].txt Low Trojan.Popuper C:\Documents and Settings\Kyle Hicks\Favorites\online security test.url High Network Monitor C:\Documents and Settings\LocalService\Application Data\NetMon High Network Monitor C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt High Network Monitor C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt High Network Monitor C:\Program Files\Network Monitor High Common Components for Dialers C:\WINDOWS\pcconfig.dat Elevated Virtumonde C:\WINDOWS\system32\jkkli.dll Elevated Trojan.Muquest.A C:\WINDOWS\system32\system.req.11 Medium Instant Access C:\WINDOWS\tmlpcert2007 High Virtumonde Explorer.EXE (C:\WINDOWS\system32\jkkli.dll) Elevated Virtumonde FIREFOX.EXE (C:\WINDOWS\system32\jkkli.dll) Elevated Weird On The Web HKCR\AppID\{4C0B0548-AE0B-4008-999D-DB33B8B2EB90} Medium Weird On The Web HKCR\AppID\{4C0B0548-AE0B-4008-999D-DB33B8B2EB90}## Medium Weird On The Web HKCR\AppID\{7911272A-A32A-404E-8A51-EE18B99B18C4} Medium Weird On The Web HKCR\AppID\{7911272A-A32A-404E-8A51-EE18B99B18C4}## Medium Weird On The Web HKCR\AppID\{99C4F93D-42A7-478D-8746-4AFB6C10BC26} Medium Weird On The Web HKCR\AppID\{99C4F93D-42A7-478D-8746-4AFB6C10BC26}## Medium Weird On The Web HKCR\AppID\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D} Medium Weird On The Web HKCR\AppID\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}## Medium Weird On The Web HKCR\AppID\AMNotifier.EXE Medium Weird On The Web HKCR\AppID\AMNotifier.EXE## Medium Weird On The Web HKCR\AppID\AMNotifier.EXE##AppID Medium Weird On The Web HKCR\AppID\MPAgent.DLL Medium Weird On The Web HKCR\AppID\MPAgent.DLL## Medium Weird On The Web HKCR\AppID\MPAgent.DLL##AppID Medium Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D} High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}## High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32 High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32## High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32##ThreadingModel High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\ProgID High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\ProgID## High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\Programmable High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\Programmable## High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\TypeLib High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\TypeLib## High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\VersionIndependentProgID High Trojan.Mailskinner HKCR\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\VersionIndependentProgID## High Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} High Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}## High Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32 High Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32## High Instant Access HKCR\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32##ThreadingModel High Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D} Elevated Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}## Elevated Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32 Elevated Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32## Elevated Virtumonde HKCR\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32##ThreadingModel Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738} Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}## Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\ProxyStubClsid Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\ProxyStubClsid## Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\ProxyStubClsid32 Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\ProxyStubClsid32## Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\TypeLib Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\TypeLib## Elevated SmartBrowser HKCR\Interface\{00000183-C745-43D2-44F1-01A1C789C738}\TypeLib##Version Elevated Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482} High Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}## High Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\ProxyStubClsid High Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\ProxyStubClsid## High Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\ProxyStubClsid32 High Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\ProxyStubClsid32## High Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\TypeLib High Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\TypeLib## High Trojan.Mailskinner HKCR\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}\TypeLib##Version High Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC} Medium Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}## Medium Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid Medium Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid## Medium Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid32 Medium Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\ProxyStubClsid32## Medium Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\TypeLib Medium Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\TypeLib## Medium Weird On The Web HKCR\Interface\{CF1E4638-637F-499D-8309-FD71B9750ABC}\TypeLib##Version Medium SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738} Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}## Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0 Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0## Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\0 Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\0## Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\0\win32 Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\0\win32## Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\FLAGS Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\FLAGS## Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\HELPDIR Elevated SmartBrowser HKCR\TypeLib\{00000182-C745-43D2-44F1-01A1C789C738}\1.0\HELPDIR## Elevated Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E} Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}## Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0 Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0## Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\0 Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\0## Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\0\win32 Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\0\win32## Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\FLAGS Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\FLAGS## Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\HELPDIR Medium Weird On The Web HKCR\TypeLib\{555FB512-9F3B-4359-9D2A-3C10E750CE5E}\1.0\HELPDIR## Medium Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047} High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}## High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0 High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0## High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\0 High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\0## High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\0\win32 High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\0\win32## High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\FLAGS High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\FLAGS## High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\HELPDIR High Trojan.Mailskinner HKCR\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}\1.0\HELPDIR## High Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5} Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}## Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0 Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0## Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\0 Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\0## Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\0\win32 Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\0\win32## Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\FLAGS Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\FLAGS## Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\HELPDIR Medium Weird On The Web HKCR\TypeLib\{AB3B59A5-8BB4-46AB-A878-DFDB237D5BD5}\1.0\HELPDIR## Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE} Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}## Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0 Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0## Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0 Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0## Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0\win32 Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0\win32## Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\FLAGS Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\FLAGS## Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\HELPDIR Medium Weird On The Web HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\HELPDIR## Medium Trojan.Mailskinner HKCU\Software\exts High Trojan.Mailskinner HKCU\Software\exts## High Trojan.Mailskinner HKCU\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472} High Trojan.Mailskinner HKCU\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}## High Trojan.Mailskinner HKCU\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}##ft High Trojan.Mailskinner HKCU\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}##rt High Instant Access HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A High Instant Access HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A## High Instant Access HKCU\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A##Blob High CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000} High CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}## High CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore High CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore## High CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore##Count High CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore##Flags High CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore##Time High CommonName HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000000}\iexplore##Type High VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03} Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}## Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore## Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore##Count Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore##Flags Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore##Time Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46A4E9D9-B30E-452A-8157-DBBEC8573B03}\iexplore##Type Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452} Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}## Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore## Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore##Count Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore##Flags Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore##Time Elevated VSToolbar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74DD705D-6834-439C-A735-A6DBE2677452}\iexplore##Type Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}## Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore## Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Blocked Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Count Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Flags Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Time Elevated WinFixer HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}\iexplore##Type Elevated Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D} Elevated Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}## Elevated Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore Elevated Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore## Elevated Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore##Count Elevated Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore##Flags Elevated Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore##Time Elevated Virtumonde HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\iexplore##Type Elevated Trojan.Mailskinner HKCU\Software\Microsoft\Windows\CurrentVersion\Run##MailSkinner High VSToolbar HKCU\Software\Search Toolbar Corp Elevated VSToolbar HKCU\Software\Search Toolbar Corp## Elevated VSToolbar HKCU\Software\Search Toolbar Corp\Toolbar Vision Elevated VSToolbar HKCU\Software\Search Toolbar Corp\Toolbar Vision## Elevated Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D} High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}## High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32 High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32## High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\InprocServer32##ThreadingModel High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\ProgID High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\ProgID## High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\Programmable High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\Programmable## High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\TypeLib High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\TypeLib## High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\VersionIndependentProgID High Trojan.Mailskinner HKLM\Software\Classes\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}\VersionIndependentProgID## High Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} High Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}## High Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32 High Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32## High Instant Access HKLM\Software\Classes\CLSID\{B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13}\InprocServer32##ThreadingModel High Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D} Elevated Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}## Elevated Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32 Elevated Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32## Elevated Virtumonde HKLM\Software\Classes\CLSID\{F8917B2A-5FEE-431D-A680-96F8C34E427D}\InprocServer32##ThreadingModel Elevated Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR## High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BPTV High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BSTV High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Data High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LID High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LSTV High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##MSLIST High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PID High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PSTV High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Rid High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV High Virtumonde HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkli##DllName Elevated Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32 High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32## High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##Asynchronous High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##DllName High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##Impersonate High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##Shutdown High Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winzlo32##Startup High Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8917B2A-5FEE-431D-A680-96F8C34E427D} Elevated Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F8917B2A-5FEE-431D-A680-96F8C34E427D}## Elevated Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1044.dll High Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1044.dll## High Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1044.dll##.Owner High Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1044.dll##{11F1D260-129E-4EB7-B37E-57E3D97A3DF1} High Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1046.dll High Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1046.dll## High Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1046.dll##.Owner High Instant Access HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/eg_auth_1046.dll##{D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} High Common Components Unrelated HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run##svchost.exe Medium I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920} Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}## Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##Contact Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##DisplayName Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##DisplayVersion Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##NoModify Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##NoRemove Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##NoRepair Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}##UninstallString Elevated Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE} High Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}## High Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##Contact High Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##DisplayName High Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##DisplayVersion High Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##NoModify High Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##NoRemove High Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##NoRepair High Network Monitor HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}##UninstallString High I-Search Desktop Search Toolbar HKLM\SOFTWARE\Policies##{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Policies##{645FF040-5081-101B-9F08-00AA002F954E} Elevated I-Search Desktop Search Toolbar HKLM\SOFTWARE\Policies##{6BF52A52-394A-11D3-B153-00C04F79FAA6} Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR## High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High Network Monitor HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##DisplayName Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##ErrorControl Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##ImagePath Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##ObjectName Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##Start Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService##Type Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum##0 Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum##Count Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Enum##NextInstance Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Security Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Security## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet003\Services\cmdService\Security##Security Elevated Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor## High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##DisplayName High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##ErrorControl High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##ImagePath High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##ObjectName High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##Start High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor##Type High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum## High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum##0 High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum##Count High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Enum##NextInstance High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Security High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Security## High Network Monitor HKLM\SYSTEM\ControlSet003\Services\Network Monitor\Security##Security High I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR## High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High Network Monitor HKLM\SYSTEM\ControlSet004\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##DisplayName Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##ErrorControl Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##ImagePath Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##ObjectName Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##Start Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService##Type Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService\Security Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService\Security## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet004\Services\cmdService\Security##Security Elevated Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor## High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##DisplayName High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##ErrorControl High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##ImagePath High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##ObjectName High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##Start High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor##Type High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor\Security High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor\Security## High Network Monitor HKLM\SYSTEM\ControlSet004\Services\Network Monitor\Security##Security High I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC## High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC##NextInstance High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000 High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000## High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##Class High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##ClassGUID High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##ConfigFlags High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##DeviceDesc High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##Legacy High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000##Service High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR## High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##DisplayName Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##ErrorControl Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##ImagePath Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##ObjectName Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##Start Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService##Type Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##0 Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##Count Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum##NextInstance Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security## Elevated I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security##Security Elevated Common Components Unrelated HKLM\SYSTEM\CurrentControlSet\Services\COM+ Messages##ImagePath Medium Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc## High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##Description High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##DisplayName High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##ErrorControl High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##ImagePath High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##ObjectName High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##Start High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc##Type High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum## High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum##0 High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum##Count High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Enum##NextInstance High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Security High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Security## High Trojan.Dropper.Small.AEK HKLM\SYSTEM\CurrentControlSet\Services\MsaSvc\Security##Security High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor## High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##DisplayName High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##ErrorControl High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##ImagePath High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##ObjectName High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##Start High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor##Type High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum## High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum##0 High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum##Count High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum##NextInstance High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security## High Network Monitor HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security##Security High Virtumonde iexplore.exe (C:\WINDOWS\system32\jkkli.dll) _______________________________________________________________ Looks like a complete mess! I've tried to run my computer in safe mode to run though a few steps I've seen in various threads, but it will not let me do anything in safe mode. I have a ton of pop ups that keep coming with various spyware removal programs and registry cleaners, and a pop up from "songset" that comes up any time I visit sites like msn, etc., offering free ring tones. My system overall is running extremely slow, and I especially notice it when typing in Microsoft Word, and things of that nature. If you could give me some help I would really appreciate it! Last edited by christinelydia; 02-09-2007 at 03:30 PM. Reason: Title Change, Windows Update failure

02-11-2007, 08:26 AM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi and welcome to TSF. Let's see if we can restore a bit of normality first, then we'll tackle the rest. Firstly, let's reset System Restore, so that we have something to fall back on, just in case. To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. This will create a new Restore Point. This tool should be run in Normal Mode - it's very simple and fairly quick - just follow the instructions. Please download combofix.exe to your desktop. IMPORTANT - You must place combofix on your desktop!! Double click combofix.exe & follow the prompts. When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. One of your infections is hiding and we need to make it visible. So, before producing your next HijackThis Log, please follow these instructions: I'd like you to rename HijackThis.exe (the actual .exe file itself) to glasgow.exe. Navigate to C:\hjt\HijackThis.exe (or wherever HJT is located - if it's in a Temp file then move it)) Right click on HijackThis.exe Select 'Rename' Type in glasgow.exe Press Enter. Now run a scan and save a log as normal. Please post back with c:\combofix.txt and a fresh, renamed HijackThis log. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

02-18-2007, 12:33 PM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Sorry – it’s been a while since I posted to you so I’d assumed that you would have downloaded combofix already. Never mind – back to basics! Firstly, I need a renamed HijackThis Log – then we can get to work. See my earlier post for instructions. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

02-18-2007, 02:07 PM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt. Download ComboScan to your Desktop. Close all applications and windows. Double-click on comboscan.exe to run it, and follow the prompts. When the scan is complete, a text file will open - ComboScan.txt Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt back in this thread (do not attach it). A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt. Please attach Supplementary.txt to your post. Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\ComboScan\Supplementary.txt Click Upload. Please reply with c:\vundo.txt, Comboscan.txt and attach the Supplementary file. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

02-18-2007, 11:39 AM	#3 (permalink)
christinelydia Registered User Join Date: Feb 2007 Posts: 13 OS: Windows XP Professional	Sorry it's taken me so long to reply, the virus completely took over my internet settings to where I haven't been able to even get online. I got Norton Anti Virus installed and it got rid of many of the viruses, but I guess they've taken over the registry to where they reload upon restart and now I can't even get a system scan completed with Norton. Also, I tried to run combo fix and this is the message I got: "The tool, ComboFix has been temporarily withdrawn. The author discovered a rootkit infection that will intefere with ComboFix's running. This will cause Combofix to be UNSAFE FOR USE on your machine. Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL Apologies for any inconvenience caused" Any other suggestions? The virus' that I think causes the most problems are: Trojan.Peacom Trojan.vundo and the w32blacmal Thanks! Christine

02-18-2007, 01:49 PM	#5 (permalink)
christinelydia Registered User Join Date: Feb 2007 Posts: 13 OS: Windows XP Professional	Here we go!: Logfile of HijackThis v1.99.1 Scan saved at 3:47:35 PM, on 2/18/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\1XConfig.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Kyle Hicks\Desktop\hijackthis\Glasgow.exe O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing) O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O11 - Options group: [INTERNATIONAL] International* O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/is...cannerCtrl.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3lsZSAgSGlja3M\command.exe (file missing) O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

02-19-2007, 01:01 PM	#9 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Please don’t post any logs unless I specifically ask for them – thanks. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. Show Hidden Files Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Please download the Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download the Alcra PLUS Remover. Save it in the same folder you made earlier (c:BFU). Do not do anything with these yet! Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. File Deletions Delete the following Files indicated in RED if they still exist. C:\WINDOWS\system32\ilkkj.ini2 C:\WINDOWS\system32\mszsrn32.dll Run CleanUp! NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run AVG Anti Spyware Run AVG with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. NOTE: AVG scan may require an hour. Run the Brute Force Uninstaller Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal Windows. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required AVG Log Panda Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

02-20-2007, 11:28 AM	#10 (permalink)
christinelydia Registered User Join Date: Feb 2007 Posts: 13 OS: Windows XP Professional	AVG LOG: --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 11:05:00 AM 2/20/2007 + Scan result: C:\System Volume Information\_restore{0D907B9E-ABF7-488B-8D5D-666236B7BA4E}\RP2\A0004388.dll -> Worm.Banwarum.n : No action taken. ::Report end HIJACKTHIS LOG: Logfile of HijackThis v1.99.1 Scan saved at 1:17:57 PM, on 2/20/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\1XConfig.exe C:\Documents and Settings\Kyle Hicks\Desktop\hijackthis\Glasgow.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing) O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O11 - Options group: [INTERNATIONAL] International* O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/is...cannerCtrl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe My computer would not let me access the pandasoftware scan. I tried in both internet explorer and Mozilla and both said the page could not be accessed. I was doing it simutaneously on a desktop and everything worked fine, so not sure why my laptop won't let me? The system seems to be performing fine, but it usually does until I restart it, so hopefully it continues! Thanks.

02-20-2007, 01:50 PM	#11 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Looks good. Let’s try and get at least one online scan – choose any one of these and post back with any log produced and a fresh HijackThis Log. http://housecall.trendmicro.com/ <- - you can use Firefox for this scanner http://www3.ca.com/virusinfo/virusscan.aspx http://www.bitdefender.com/scan8/ie.html http://us.mcafee.com/root/mfs/default.asp http://security.symantec.com/sscv6/d...d=ie&venid=sym __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

02-21-2007, 07:10 AM	#12 (permalink)
christinelydia Registered User Join Date: Feb 2007 Posts: 13 OS: Windows XP Professional	BitDefender Online Scanner Scan report generated at: Tue, Feb 20, 2007 - 20:59:06 Scan path: C:\;D:\; Statistics Time 00:58:44 Files 457456 Folders 4305 Boot Sectors 2 Archives 1882 Packed Files 66788 Results Identified Viruses 2 Infected Files 4 Suspect Files 5 Warnings 0 Disinfected 0 Deleted Files 10 Engines Info Virus Definitions 389199 Engine build AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08) Scan plugins 14 Archive plugins 38 Unpack plugins 6 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions ; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62883063.dll=>(Quarantine-2) Infected with: Win32.Banwarum.N@mm C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62883063.dll=>(Quarantine-2) Deleted C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{13B04944-0AA4-42D3-80C7-88861BDA42AB} Infected with: Trojan.QHosts.AF C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{13B04944-0AA4-42D3-80C7-88861BDA42AB} Disinfection failed C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{13B04944-0AA4-42D3-80C7-88861BDA42AB} Deleted C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{15E9A894-75C2-4979-9419-16BB1310A72B} Suspected of: Trojan.QHosts.AF C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{15E9A894-75C2-4979-9419-16BB1310A72B} Disinfection failed C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{15E9A894-75C2-4979-9419-16BB1310A72B} Deleted C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{16B041D2-F47A-4707-805C-D08B9D445349} Suspected of: Trojan.QHosts.AF C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{16B041D2-F47A-4707-805C-D08B9D445349} Disinfection failed C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{16B041D2-F47A-4707-805C-D08B9D445349} Deleted C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1E25C7C1-4FE6-4542-83A0-CD189CDE6F74} Infected with: Trojan.QHosts.AF C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1E25C7C1-4FE6-4542-83A0-CD189CDE6F74} Disinfection failed C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1E25C7C1-4FE6-4542-83A0-CD189CDE6F74} Deleted C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{74EEB8AD-C69F-4007-966B-7CA64925C257} Suspected of: Trojan.QHosts.AF C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{74EEB8AD-C69F-4007-966B-7CA64925C257} Disinfection failed C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{74EEB8AD-C69F-4007-966B-7CA64925C257} Deleted C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8241BCB7-BD2B-4C9B-BE73-0AA65878ABC3} Infected with: Trojan.QHosts.AF C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8241BCB7-BD2B-4C9B-BE73-0AA65878ABC3} Disinfection failed C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8241BCB7-BD2B-4C9B-BE73-0AA65878ABC3} Deleted C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A881266F-01B2-453C-9DF3-EAC064871219} Suspected of: Trojan.QHosts.AF C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A881266F-01B2-453C-9DF3-EAC064871219} Disinfection failed C:\Documents and Settings\Kyle Hicks\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A881266F-01B2-453C-9DF3-EAC064871219} Deleted C:\WINDOWS\system32\drivers\etc\hosts Suspected of: Trojan.QHosts.AF C:\WINDOWS\system32\drivers\etc\hosts Disinfection failed C:\WINDOWS\system32\drivers\etc\hosts Deleted --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 3:13:00 AM 2/21/2007 + Scan result: C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned. C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned. C:\Documents and Settings\Kyle Hicks\Cookies\kyle__hicks@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. ::Report end McAfee FreeScan has detected 3 files on your computer! Your personal information might be vulnerable to exposure or corruption. Your computer might transmit possible threats to friends, family, and co-workers. Get immediate protection with McAfee VirusScan. Buy Now! Learn More... Important: If you disabled your anti-virus software, please re-enable it now. Scan Location Drive C My Documents Windows Files Scan Status Files Scanned: 38692 Files Detected: 3 Information: Scanning completed! List of Detected Files File Name Threat Name C:\Documents and Settings\...\Process.exe PrcViewer C:\Documents and Settings\...\SmitfraudFix.exe PrcViewer C:\WINDOWS\system32\Process.exe PrcViewer Logfile of HijackThis v1.99.1 Scan saved at 9:10:26 AM, on 2/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\1XConfig.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Documents and Settings\Kyle Hicks\Desktop\hijackthis\Glasgow.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing) O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\GENERIC\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O11 - Options group: [INTERNATIONAL] International O16 - DPF: McAfee Wi-FiScan - http://download.mcafee.com/molbin/is...cannerCtrl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/m...s/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

02-21-2007, 01:08 PM	#13 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Not as bad as it looks. McAfee calls one of our tools suspect, but I can assure you it’s not. One of the things the tool does is shutdown certain applications before cleaning and it’s the shutdown process that rings the alarm bells. Clear Windows Defender - go to Tools > Quarantined Items and Remove All. Other than that your log is clean. Any more problems? If not we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and there is therefore no need to keep them. Reset Hidden/System Files To reset your hidden and system files: Click *Start.* Open *My Computer.* Select the *Tools menu* and click *Folder Options.* Select the *View* tab. Deselect the *Show hidden files and folders* option. Select the *Hide file extensions for known types* option. Select the *Hide protected operating system files* option. Click *Yes* to confirm. Click *OK.* System Restore To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. This will create a new Restore Point. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. Ad-aware Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. IE-SPYAD IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here. SnoopFree SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Comodo Personal Firewall Sygate Personal Firewall ZoneAlarm Anti Virus Software It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are three very good free Antivirus products which are available: BitDefender Free Avast! AVG It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Other Protection Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner