Lots of Norton Trojan Alerts

[greyknight17]

You said you noticed a BHO entry but left it alone. What BHO entry was this for?

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O13 - WWW. Prefix: http://

Restart and post a new HijackThis log.

Download this virus checker and tool from eScan
Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it
continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here

[marley07712]

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[greyknight17]

Try reading this site's instructions and see if they can help you remove that trojan.

Where's the mwav log?

[marley07712]

Sorry for not responding sooner but I can't figure out how to copy the lower pane mwav info (I hot ctrl c and nothing happens. If I hit view log will that provide the info you need?

[greyknight17]

It should be the same thing. Hit view log and see if that's the same information on the bottom pane. Post it here.

[marley07712]

Unfortunately the log is the entire scan. I did not see the bottom pane problems isolated.

[greyknight17]

There should be a file called scandump.txt saved somewhere on your computer. Do a search for this file. Open it up and see if those are the alarms found. Post them here if so.

[marley07712]

I could not locate a scandump file so I went thru and manually deleted all but references to infections. It's awfully long (sorry). I'm no expert (or even intermediate) but itlooks like alot of the stuff is from norton in quarantine and old HJT backups.

Mon Apr 18 11:53:52 2005 => Scanning HKLM\SYSTEM\CurrentControlSet\Services\VxD
Mon Apr 18 11:53:52 2005 => Offending value found in HKLM\Software\mysearch !!!
Mon Apr 18 11:53:52 2005 => Offending Folder C:\PROGRA~1\mysearch present...
Mon Apr 18 12:01:32 2005 => System found infected with mysearch Spyware/Adware! Action taken: No Action Taken.
Mon Apr 18 12:01:32 2005 => File System Found infected by "mysearch Spyware/Adware" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:01:32 2005 => Offending Folder C:\DOCUME~1\Jon\STARTM~1\Programs\ADDEST~1 present...
Mon Apr 18 12:01:32 2005 => System found infected with addestroyer Spyware/Adware! Action taken: No Action Taken.
Mon Apr 18 12:01:32 2005 => File System Found infected by "addestroyer Spyware/Adware" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:01:32 2005 => System found infected with ezula Spyware/Adware (vx3x.nls)! Action taken: No Action Taken.
Mon Apr 18 12:01:32 2005 => File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:01:32 2005 => System found infected with ezula Spyware/Adware (vx3.nls)! Action taken: No Action Taken.
Mon Apr 18 12:01:32 2005 => File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:01:32 2005 => System found infected with ezula Spyware/Adware (vx0.nls)! Action taken: No Action Taken.
Mon Apr 18 12:01:32 2005 => File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:01:41 2005 => File C:\WINDOWS\bhoass.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:01:43 2005 => File C:\WINDOWS\explorer32dbg.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:01:45 2005 => File C:\WINDOWS\iexplore_dbg.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:01:49 2005 => File C:\WINDOWS\msxmidi.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:04:11 2005 => File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.

Mon Apr 18 1234 2005 => File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Mon Apr 18 12:08:49 2005 => File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:14:05 2005 => File C:\Documents and Settings\Jon\Local Settings\Application Data\Wildtangent\Cdacache\00\00\09.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:14:09 2005 => File C:\Documents and Settings\Jon\Local Settings\Application Data\Wildtangent\Cdacache\00\00\25.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:52 2005 => File C:\HJT\backups\backup-20050414-065213-939.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:52 2005 => File C:\HJT\backups\backup-20050414-065227-380.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:52 2005 => File C:\HJT\backups\backup-20050414-200530-226.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:52 2005 => File C:\HJT\backups\backup-20050414-202717-497.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:52 2005 => File C:\HJT\backups\backup-20050414-202810-320.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:53 2005 => File C:\HJT\backups\backup-20050414-210758-413.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:53 2005 => File C:\HJT\backups\backup-20050414-210810-545.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:53 2005 => File C:\HJT\backups\backup-20050414-212734-237.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:53 2005 => File C:\HJT\backups\backup-20050414-224744-704.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:53 2005 => File C:\HJT\backups\backup-20050415-071334-235.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:53 2005 => File C:\HJT\backups\backup-20050415-090715-213.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:54 2005 => File C:\HJT\backups\backup-20050415-100806-906.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:54 2005 => File C:\HJT\backups\backup-20050415-101500-284.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:54 2005 => File C:\HJT\backups\backup-20050415-123405-902.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:55 2005 => File C:\HJT\backups\backup-20050415-124707-240.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:55 2005 => File C:\HJT\backups\backup-20050415-124848-162.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:22:57 2005 => File C:\HJT\hijackthis_199.zip infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:24:41 2005 => File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Mon Apr 18 12:44:58 2005 => File C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.j" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:44:58 2005 => File C:\Program Files\MySearch\bar\1.bin\S42NS.EXE infected by "not-a-virus:AdWare.ToolBar.MyWay.j" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:44:58 2005 => File C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.j" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:06 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\00EB0A32.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:06 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\02661091.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:06 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\030F17D6.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:06 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\046B4F4E infected by "not-virus:Joke.Win32.Sojfuse" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:06 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\077D00F7.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:06 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\07FD70AD.class infected by "Trojan.Java.ClassLoader.d" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:06 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0A510E5D infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:06 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0A553859 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:07 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0BB748BF infected by "not-a-virus:AdWare.VirtualBouncer.c" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:07 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0BBB72BB infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:08 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0BBE1CB8 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:08 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0BC146B4 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:08 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0D41229F.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:08 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0E3F6D87.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:08 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0F612FB9.exe infected by "Trojan-Downloader.Win32.Delf.jk" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:09 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0FFF53CE infected by "Trojan-Downloader.Win32.Small.id" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:09 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\13C9087A.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:09 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\161A672F.htm infected by "Trojan-Downloader.VBS.Psyme.ap" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:09 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\16246525.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:09 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\165130F2.htm infected by "Trojan-Downloader.VBS.Psyme.ap" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:10 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\220A4A46 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:10 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\25FB207F.exe infected by "Trojan-Downloader.Win32.Delf.jj" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:10 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\285772EF infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:10 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2B7240F8.class infected by "Trojan.Java.ClassLoader.Dummy.a" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:10 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2C4042FF.dll infected by "Trojan-Downloader.Win32.Agent.hz" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:10 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2C4B0838.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:10 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2F172039.class infected by "Trojan.Java.Femad" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:12 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\391C5FEA infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3E2E39DE infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3E3163DB infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\47B40546.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\484824BF.htm infected by "Trojan-Clicker.JS.Linker.k" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\484E78B8.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\485222B5.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49676AA7.class infected by "Trojan.Java.ClassLoader.d" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\49FF67E0 infected by "not-a-virus:AdWare.VirtualBouncer.j" Virus. Action Taken: No Action Taken.s

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4ACB448D.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4DFA3244.exe infected by "Trojan-Dropper.Win32.Agent.az" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4EDF4F92.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\505A1813.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\50FE52CE.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:13 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\520426BB.class infected by "Trojan.Java.Femad" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:14 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5EFC40F1 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:14 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\639E3619 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\63A26015 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\653D24A8.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\654378A1.class infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6546229D.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\654A4C9A.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6751605E.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6751605E.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6B0A3C90.exe infected by "Trojan-Dropper.Win32.Agent.az" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6D140A11.class infected by "Trojan.Java.ClassLoader.Dummy.a" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\71624C0B.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:15 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\735401EB infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:16 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\778D0316 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:16 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\781A35E5.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:16 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\782E31CF.class infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:16 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\78315BCC.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:16 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\783405C8.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:16 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\78E90FC3.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:17 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\79C03AF0 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:17 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7BA64DFE.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:17 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7BA977FA.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:17 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7BAD21F7.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:17 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7CCF3AB7.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:17 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7DCB5BA2.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:17 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7ED94CC1.htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:17 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7EE43DE9 infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:45:18 2005 => File C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7FC87172.php infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:54 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0087263.exe infected by "Trojan-Downloader.Win32.Delf.jj" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:55 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0087274.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:55 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0087275.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:55 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0087276.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:55 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0087292.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:56 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0088274.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:56 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0088275.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:56 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0088276.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:53:56 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0088280.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:05 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089274.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:05 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089275.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:05 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089276.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:05 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089277.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:09 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089297.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:09 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089298.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:09 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089299.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:10 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089303.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:11 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089310.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:17 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089343.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:17 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089344.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:17 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089345.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:17 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089349.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:17 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089350.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:18 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089351.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:18 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089356.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:18 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089357.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:18 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089358.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:18 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089361.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:18 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089362.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:18 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089363.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:18 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089364.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:19 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089366.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:19 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089368.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:19 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089369.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:19 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089374.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:19 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089375.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:19 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089377.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:19 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089378.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:22 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP112\A0089400.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:25 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP113\A0089403.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:25 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP113\A0089404.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:27 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089406.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:27 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089407.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:27 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089409.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:28 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089412.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:29 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089431.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:29 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089434.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:29 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089435.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:30 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089437.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:30 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089442.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:30 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089443.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:30 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089444.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:30 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089446.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:31 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089451.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:31 2005 => Scanning File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089452.dllMon Apr 18 12:54:31 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089452.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:31 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089453.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:31 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089454.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:31 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089455.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:31 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089457.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:31 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089458.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:32 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089464.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:32 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089465.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:32 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089466.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:32 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089467.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:32 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089469.dll infected by "not-a-virus:AdWare.ToolBar.ToolBand.a" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:32 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089472.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:33 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089487.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:34 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089488.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:34 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089489.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:34 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089490.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:36 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089511.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:36 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089512.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:36 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089513.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:36 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089515.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:36 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089519.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:36 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089520.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:36 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089521.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:36 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089522.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:38 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089525.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:38 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089526.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:38 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089532.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:38 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089533.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:38 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089538.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:43 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089580.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:44 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089585.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:57 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089670.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:57 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089671.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:57 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089672.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:59 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089685.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:59 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089690.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:59 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089694.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:59 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089695.exe infected by "Trojan.Win32.Agent.ct" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:59 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089696.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:59 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089697.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:54:59 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089699.dll infected by "not-a-virus:AdWare.ToolBar.ToolBand.a" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:00 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089701.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:00 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089703.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:00 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089707.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:00 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089708.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:00 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089712.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:01 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089719.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:01 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089723.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:01 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089724.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:01 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0089727.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:06 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0092726.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:06 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP114\A0092727.EXE infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:55:48 2005 => File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP115\A0095879.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:57:47 2005 => File C:\WINDOWS\bhoass.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 12:57:50 2005 => File C:\WINDOWS\bundles\bs5-tsrkqn.exe infected by "not-a-virus:AdWare.BookedSpace.c" Virus. Action Taken: No Action Taken.

Mon Apr 18 13:00:37 2005 => File C:\WINDOWS\explorer32dbg.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 13:02:57 2005 => File C:\WINDOWS\iexplore_dbg.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 1306 2005 => File C:\WINDOWS\msxmidi.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.

Mon Apr 18 13:21:28 2005 => File C:\WINDOWS\system32\drivers\etc\1.hosts infected by "Trojan.Win32.Qhost.bd" Virus. Action Taken: No Action Taken.

Mon Apr 18 13:25:07 2005 => File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

[greyknight17]

Uninstall WildTangent and MySearch from the Add/Remove panel.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck that same box to enable system restore.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\DOCUME~1\Jon\STARTM~1\Programs\ADDEST~1\ - unless you know what this is for, delete it
C:\WINDOWS\System32\wldr.dll
C:\Documents and Settings\Jon\Local Settings\Application Data\Wildtangent\
C:\Program Files\MySearch\
C:\WINDOWS\bhoass.dll
C:\WINDOWS\bundles\
C:\WINDOWS\explorer32dbg.exe
C:\WINDOWS\iexplore_dbg.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\system32\drivers\etc\1.hosts
C:\WINDOWS\wt\

Go to C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ and delete all the recovery files in there.

Then go to C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\ and delete all the quarantined files in there.

Delete all the backups in C:\HJT\backups\.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and run a new scan for mwav. Post the log here along with a new HijackThis log.

[marley07712]

Thanks again for your help and patience.

MWAV log:

File System Found infected by "mysearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Jon\Local Settings\Application Data\Wildtangent\Cdacache\00\00\09.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Jon\Local Settings\Application Data\Wildtangent\Cdacache\00\00\25.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\HJT\hijackthis_199.zip infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.j" Virus. Action Taken: No Action Taken.
File C:\Program Files\MySearch\bar\1.bin\S42NS.EXE infected by "not-a-virus:AdWare.ToolBar.MyWay.j" Virus. Action Taken: No Action Taken.
File C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000105.exe infected by "Trojan-Downloader.Win32.Delf.jk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000106.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000107.dll infected by "Trojan-Downloader.Win32.Agent.hz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000108.exe infected by "Trojan-Dropper.Win32.Agent.az" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000109.exe infected by "Trojan-Dropper.Win32.Agent.az" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000110.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000111.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000112.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000113.exe infected by "Trojan-Downloader.Win32.Delf.jj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000114.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000115.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000116.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000117.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000118.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000119.exe infected by "Trojan-Downloader.Win32.Small.yx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000120.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000121.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000122.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000123.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000124.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000125.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000126.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000127.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000128.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000129.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000130.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000131.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000132.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000133.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000135.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000136.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000163.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000164.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000165.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000166.exe infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{93D2B55F-D7EA-4DE4-87E6-E3F3AB89201B}\RP1\A0000167.dll infected by "Trojan.Win32.Agent.cx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\bundles\bs5-tsrkqn.exe infected by "not-a-virus:AdWare.BookedSpace.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.


Logfile of HijackThis v1.99.1
Scan saved at 10:10:49 PM, on 4/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\DOCUME~1\Jon\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Jon\LOCALS~1\Temp\kavss.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I wanted to mention that on re-boot the system did a disk check. (file verify, verifyindicies and security descriptions). Also, Wild tangent and MySearch did not appear in add/remove prograqms.

[MicroBell]

Download and install CleanUp http://cleanup.stevengould.org/
(If you don't have it already)

Reboot into safe mode and Delete the following folders......

C:\Documents and Settings\Jon\Local Settings\Application Data\Wildtangent
C:\Program Files\MySearch
C:\WINDOWS\bundles
C:\WINDOWS\wt

Now run the cleanup utility and reboot/logoff when prompted. If everything seams fine...disable system restore...then re-enable it and create a restore point. This will remove the adware and virus still located in your restore points folder.

Run another mwav.exe scan...and post it's log along with another hijackthis log.

[marley07712]

MWAV Log

File System Found infected by "mysearch Spyware/Adware" Virus. Action Taken: No Action Taken.


File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.


File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.


File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.


File C:\!Submit\Cdacache\00\00\09.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.


File C:\!Submit\Cdacache\00\00\25.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.


File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.


File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.


Logfile of HijackThis v1.99.1
Scan saved at 1:05:45 PM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[marley07712]

Forgot to mention I still have an error text message in the middle of my desktop:

"critical error in IE has ocurred at 0028:C0011E36 in VXD VMM (01) + 00010E36. Error was caused by Trojan-Spy.HTML.smitfraud.c.

System cannot function in normal mode. Please check your security settings.

Scan your PC with any available antivirus/spyware remover program to fix the problem"

[MicroBell]

C:\!Submit <-- delete that folder.

Both your logs show clean. This message....does it look like a legit Windows XP message? Does it open once windows loads or when you open INternet Explorer? Is windows displaying that message or another program? (Like your antivirus) I'm thinking this is leftover Security iGuard junk.

Also check and see if you have the following files in these locations...

C:\wp.exe
C:\wp.bmp

Delete them if found...

Download the attachment I posted here DANGER: SPYWARE...Smart Security 59.95$ called fixsec.txt. Save it to your desktop. Now rename it to fixsec.reg

Double click on the file to merge it into your registry and reboot. If the screen comes back up...Click start...run..type in regedit. Navigate to the following key....

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
System]

Set the following value to this entry:

"NoDispBackgroundPage"=dword:0x00000000(0)

Then remove this other entry if listed:

"Wallpaper"=reg_sz:"c:\wp.bmp"

Let me know the outcome..


Post another silentrunners log...

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

[marley07712]

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jon\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------



The trojan message is gone but now all the display options in control panel appear as kodak easy share files, and the toolbar is not a windows xp toolbar (it looks like '98 all over again).

[MicroBell]

Which reg fix worked? You'll have to set your desktop back up..as the reg fix sets the settings back to XP defaults. So choose XP in your desktop and make sure you have XP checked on the toolbar properties tab.

As to the Kodak icons...is that for all icons? The fix we did should not have changed those. It just removes the registry entrys the hijacker changed.

[marley07712]

I followed your instructions and downloaded this: fixsec.reg.

I also changed the registry value for this entry: "NoDispBackgroundPage"=dword:0x00000000(0)

(I changed the value in parens from 1 to 0).

And I deleted Wallpaper"=reg_sz:"c:\wp.bmp" in the registry.

AS to the Kodak icons, before these fixes I couldn't even get to the background options in display.

[marley07712]

When I go to display properties I've got some wierd things happening. There is no theme and appearance tab, only only desktop, screen saver and settings.

Also, when I go to desktob, there is no web tab, just general.

Should I post this in the XP forum?

[greyknight17]

Yes, try posting this problem in the Windows forum. See if any of the experts there know anything about these missing tabs.

[marley07712]

Will do. Thanks to everyone for all your help.