My pc has gone bezerk, HJT analyst log included

[D-Day]

Hi, I'm using Windows ME, I have no idea what the exact problem might be. First off, MSN Mesenger though it works fine otherwise will not remember my settings, it will always open the main window and automatically sign in even though I disabled this before I resart the computer. But the really annoying thing is that that windows freezes when I do certain simple tasks like doubleclicking on a pic or opening a preview in adobe photoshop elements or printing a word document. Also I'm getting emails where the subject line is the title of a song I have on my hard drive. I've run Ad-aware but found nothing unusual, and I've run the latest HJT and KRC hijackthis analyzer. I don't know what else to do! Here's the log:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:31:13 AM, on 08/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\IEXPLORE32.EXE
C:\PROGRAM FILES\ABBYY FINEREADER 5.0 SPRINT\CAGENT.EXE
C:\PROGRAM FILES\SONY\SONICSTAGE\SSAAD.EXE
C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\POPUPKILLER.EXE
C:\LOTUS\SMARTCTR\SMARTCTR.EXE
C:\PROGRAM FILES\LEXMARK X125\LEX125SU.EXE
C:\WINDOWS\VOLUME\LUNIN11.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\MEDIA PLAYER.EXE
C:\WINDOWS\SYSTEM\EMM386M.EXE
C:\PROGRAM FILES\SHAREAZA\DOWNLOADS\HIJACKTHIS\HIJACKTHIS 2\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/main/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\SYSTEM\SHDOCLC.DLL/dnserror.htm
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: BabeIE - {A6475E6B-3C2E-4B1F-82FD-8F1C0B1D8AD0} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\BABEIE.DLL
O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBARIE.DLL
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O2 - BHO: (no name) - Alignment - (no file)
O2 - BHO: (no name) - Overrun - (no file)
O2 - BHO: (no name) - Framing - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O3 - Toolbar: CommonName - {A3E3F04C-F98C-4295-95EF-41C57425B077} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBARIE.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [GDRIVE] C:\IBMTOOLS\IBMBOOT\GDRIVE.EXE -N
O4 - HKLM\..\Run: [ZIBMACC] c:\windows\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 128 C:\WINDOWS\INF\ZIBMACC.INF
O4 - HKLM\..\Run: [Config32 Loader] iexplore32.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRAM FILES\ABBYY FINEREADER 5.0 SPRINT\CAGENT.EXE
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [] C:\WINDOWS\VOLUME\LUNIN11.EXE
O4 - HKLM\..\RunServices: [Config32 Loader] iexplore32.exe
O4 - HKCU\..\Run: [Config32 Loader] iexplore32.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\PopUpKiller.exe
O4 - HKCU\..\Run: [LUNIN11.EXE] C:\WINDOWS\VOLUME\LUNIN11.EXE
O4 - Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: &Translate English Word - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [CommonName] CommonName
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/...ditControl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plug...ings/vroom.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - http://images.hi5.com/cab/wabctrl.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...47d5280e4704df
77179
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents...r/imloader.cab


End of KRC HijackThis Analyzer Log.
====================================================================

[POADB]

Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Download LSPFix.exe

Instructions for using LSPFix

1. Double click on LSPFix.exe to run it.
2. Once running, you will be required to tick the disclaimer - "I know what I'm doing".
3. You'll find a windows with 2 columns. In the left column which is labeled 'Keep', click once to select the entry:
   • newdotnet6_38.dll (or something with newdotnet)
4. Then click on the arrow pointing to the right, >>.
   This will move the entry to the right column labeled 'Remove'
5. Click the Finish button to complete the fix.

Download KazaaBegone http://www.greyknight17.com/spy/KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix http://www.greyknight17.com/spy/WinsockFix.zip just in case you need it (if it breaks your internet connection, run it).

Download Hoster http://www.greyknight17.com/spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK.

Unplug your computer from the Internet when you have finished downloading


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO SAFE MODE

1. Restart the computer. The computer begins processing a set of instructions known as BIOS.
2. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
3. Continue to do so until the 'Windows Advanced Options' menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files

1. From Windows Explorer, go to Tools>Folder Options>View tab.
2. Enable the option for `Show hidden files and folder´
3. Disable the option for `Hide file extensions for known types´
4. Disable the option for `Hide protected operating system files´
5. Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Start HiJackThis & go to Config>Misc Tools> Open process manager
Select the following and click Kill process one at a time. * Some entries may not be present

• C:\WINDOWS\SYSTEM\EMM386M.EXE

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

• COMMONNAME
  DAP
  Win Favourites
  SideFind

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/main/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\SYSTEM\SHDOCLC.DLL/dnserror.htm
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: BabeIE - {A6475E6B-3C2E-4B1F-82FD-8F1C0B1D8AD0} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\BABEIE.DLL
O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBARIE.DLL
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O2 - BHO: (no name) - Alignment - (no file)
O2 - BHO: (no name) - Overrun - (no file)
O2 - BHO: (no name) - Framing - (no file)
O3 - Toolbar: CommonName - {A3E3F04C-F98C-4295-95EF-41C57425B077} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBARIE.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
O4 - HKLM\..\Run: [ZIBMACC] c:\windows\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 128 C:\WINDOWS\INF\ZIBMACC.INF
O4 - HKLM\..\Run: [Config32 Loader] iexplore32.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [] C:\WINDOWS\VOLUME\LUNIN11.EXE
O4 - HKLM\..\RunServices: [Config32 Loader] iexplore32.exe
O4 - HKCU\..\Run: [Config32 Loader] iexplore32.exe
O4 - HKCU\..\Run: [LUNIN11.EXE] C:\WINDOWS\VOLUME\LUNIN11.EXE
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [CommonName] CommonName
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...uditControl.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7d5280e47 04df
77179


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Locate and delete the following folder(s), if present:

• C:\PROGRAM FILES\COMMONNAME\
  C:\PROGRAM FILES\DAP\

Locate and delete the following file(s), if present:

• C:\WINDOWS\SYSTEM\BRIDGE.DLL
  C:\WINDOWS\INF\ZIBMACC.INF
  C:\Windows\System\iexplore32.exe
  C:\WINDOWS\SYSTEM\A.EXE

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE

Do an online scan at one of the following sites:

• Panda ActiveScan
• Kaspersky Anti-Virus Web Scanner
• BitDefender Online Scanner
• Trend Micro™ HouseCall

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

1. HiJackThis
2. Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[D-Day]

Thank you so much, POADB. I followed all your instructions and my computer seems to be back to normal. The issues with performing simple tasks and MSN messenger have all cleared up, and I haven't gotten any strange emails either. One correction to your solution though, in Windows ME, you get to the 'Windows Advanced Options' by holding down the Ctrl button after the BIOS has finished loading. Also, the Kazaabegone bug showed up and I couldn't reboot to normal mode until I used the Winsockfix. My biggest problem was that the virus scans were taking way too long so I had to stop them before they were complete but they didn't seem to be finding any more infected files anyway. Here are the logs:

HJT log analyzed with KRC Hijackthis Analyzer
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:15:42 PM, on 08/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\ABBYY FINEREADER 5.0 SPRINT\CAGENT.EXE
C:\PROGRAM FILES\SONY\SONICSTAGE\SSAAD.EXE
C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\POPUPKILLER.EXE
C:\LOTUS\SMARTCTR\SMARTCTR.EXE
C:\PROGRAM FILES\LEXMARK X125\LEX125SU.EXE
C:\PROGRAM FILES\SHAREAZA\DOWNLOADS\HIJACKTHIS\HIJACKTHIS 2\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O3 - Toolbar: (no name) - {A3E3F04C-F98C-4295-95EF-41C57425B077} - (no file)
O4 - HKLM\..\Run: [GDRIVE] C:\IBMTOOLS\IBMBOOT\GDRIVE.EXE -N
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\PROGRAM FILES\ABBYY FINEREADER 5.0 SPRINT\CAGENT.EXE
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRAM FILES\ASHAMPOO\ASHAMPOO WINOPTIMIZER PLATINUM SUITE\PopUpKiller.exe
O4 - Startup: Lotus SmartCenter.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: &Translate English Word - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plug...ings/vroom.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - http://images.hi5.com/cab/wabctrl.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...bscan_ansi.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab


End of KRC HijackThis Analyzer Log.
====================================================================

[D-Day]

This is the panda active scan log. The scan was not completed.

Incident Status Location

Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
Adware:adware/exactsearch No disinfected C:\WINDOWS\SYSTEM\EXDL.EXE
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM\exul.exe
Adware:adware/gator No disinfected C:\WINDOWS\TEMP\bundle.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\BIINI.INF
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:adware/twain-tech No disinfected C:\WINDOWS\PREINSTT.EXE
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Adware:adware/blazefind No disinfected C:\WINDOWS\Key2.txt
Adware:adware/wintools No disinfected C:\WINDOWS\2_0_1browserhelper2.dll
Dialer:dialer generic No disinfected C:\PROGRAM FILES\GIB
Spyware:spyware/istbar No disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
Adware:adware/cws No disinfected Windows Registry
Virus:W32/Mywife.D.worm Disinfected C:\_RESTORE\TEMP\A0000018.CPY I deleted the rest of the log because it was too long, 1266 infected files that were disinfected, all from the C:\RESTORE\TEMP\ folder
=========================================================

[D-Day]

This is the panda active scan log. The scan was not completed.

Incident Status Location

Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
Adware:adware/exactsearch No disinfected C:\WINDOWS\SYSTEM\EXDL.EXE
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM\exul.exe
Adware:adware/gator No disinfected C:\WINDOWS\TEMP\bundle.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\BIINI.INF
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:adware/twain-tech No disinfected C:\WINDOWS\PREINSTT.EXE
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Adware:adware/blazefind No disinfected C:\WINDOWS\Key2.txt
Adware:adware/wintools No disinfected C:\WINDOWS\2_0_1browserhelper2.dll
Dialer:dialer generic No disinfected C:\PROGRAM FILES\GIB
Spyware:spyware/istbar No disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
Adware:adware/cws No disinfected Windows Registry
Virus:W32/Mywife.D.worm Disinfected C:\_RESTORE\TEMP\A0000018.CPY I deleted the rest of the log because it was too long, 1266 infected files that were disinfected, all from the C:\RESTORE\TEMP\ folder
=========================================================

BitDefender Online Scanner



Scan report generated at: Wed, Aug 10, 2005 - 02:50:00





Scan path: A:\;C:\;G:\;H:\;







Statistics

Time
02:41:19

Files
16542

Folders
2326

Boot Sectors
3

Archives
150

Packed Files
18




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1




Engines Info

Virus Definitions
20860

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
2

Archive plugins
9

Unpack plugins
1

E-mail plugins
1

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\Norton AntiVirus\Quarantine\73B47BCF.EXE
Infected with: Trojan.Win95.Flashkiller

C:\Program Files\Norton AntiVirus\Quarantine\73B47BCF.EXE
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\73B47BCF.EXE
Deleted

[POADB]

C:\Program Files\Norton AntiVirus\Quarantine\

Empty this folder. You can do this within Norton, or you can navigate to the folder and manually delete everything instide of it.

Unfortunately, you're still infected. We need to have a COMPLETED virus scan. If you're stuck for time, you can leave the virus scan running while you're asleep or at work. We'll work on what Panda found now, this should reduce what Panda finds:

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Please download CleanUp! (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Do not run it yet!

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer and Re-run Trend Micro™ Anti-Spyware. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\SYSTEM\ide21201.vxd
C:\WINDOWS\SYSTEM\EXDL.EXE
C:\WINDOWS\SYSTEM\exul.exe
C:\WINDOWS\TEMP\bundle.inf
C:\WINDOWS\INF\BIINI.INF
C:\WINDOWS\INF\ALCHEM.INF
C:\WINDOWS\PREINSTT.EXE
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\Key2.txt
C:\WINDOWS\2_0_1browserhelper2.dll

Manually Delete these folders:

C:\PROGRAM FILES\GIB
C:\PROGRAM FILES\COMMON FILES\Totem Shared

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep stored in these locations, Move them now!!!

Reboot back to Windows and run a Panda ActiveScan. Doe this at a time convieniant for you as you will need to let it complete!! When it's done, save the results and post them in your next post.

[D-Day]

I did everything you said, didn't have any problems. I had to keep the panda activescan running for the entire night, but it got completed. I'll put it in my next post.

Activescan.log
Started Scanning
Files and Directories
Found 'A0026668.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0026673.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0026724.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0026729.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0026730.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0026789.CPY' in 'c:\_RESTORE\TEMP'
Found 'A0026796.CPY' in 'c:\_RESTORE\TEMP'
Found 'ide21201.vxd' in 'c:\WINDOWS\SYSTEM'
Found 'EXDL.EXE' in 'c:\WINDOWS\SYSTEM'
Found 'bbchk.exe' in 'c:\WINDOWS\SYSTEM'
Found 'apuc.dll' in 'c:\WINDOWS\SYSTEM'
Found 'msbe.dll' in 'c:\WINDOWS\SYSTEM'
Found 'nvms.dll' in 'c:\WINDOWS\SYSTEM'
Found 'mscb.dll' in 'c:\WINDOWS\SYSTEM'
Found 'BELT.INF' in 'c:\WINDOWS\INF'
Found 'BIINI.INF' in 'c:\WINDOWS\INF'
Found 'TWTINI.INF' in 'c:\WINDOWS\INF'
Found 'ALCHEM.INF' in 'c:\WINDOWS\INF'
Found '' in 'c:\WINDOWS\Start Menu\Programs\WinMX'
Found 'bundle.inf' in 'c:\WINDOWS\TEMP'
Found 'pav2207.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav2216.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav406D.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav407A.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav407B.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav500F.TMP' in 'c:\WINDOWS\TEMP'
Found 'pav506F.TMP' in 'c:\WINDOWS\TEMP'
Found 'PREINSTT.EXE' in 'c:\WINDOWS'
Found 'NDNuninstall6_22.exe' in 'c:\WINDOWS'
Found 'NDNuninstall6_10.exe' in 'c:\WINDOWS'
Found 'NDNuninstall4_94.exe' in 'c:\WINDOWS'
Found 'NDNuninstall5_40.exe' in 'c:\WINDOWS'
Found 'NDNuninstall5_48.exe' in 'c:\WINDOWS'
Found 'NDNUNINSTALL5_64.EXE' in 'c:\WINDOWS'
Found 'BI.INI' in 'c:\WINDOWS'
Found 'GPInstall.exe' in 'c:\WINDOWS'
Found 'TWAINTEC.INI' in 'c:\WINDOWS'
Found '2_0_1browserhelper2.dll' in 'c:\WINDOWS'
Found 'NDNuninstall6_30.exe' in 'c:\WINDOWS'
Found 'NDNuninstall6_38.exe' in 'c:\WINDOWS'
Found 'bbchk.exe' in 'c:\WINDOWS'
Found 'backup-20041017-184343-964.dll' in 'c:\Program Files\Shareaza\Downloads\hijackthis\backups'
Found 'backup-20050809-201423-295.dll' in 'c:\Program Files\Shareaza\Downloads\hijackthis\hijackthis 2\hijackthis\backups'
Found 'winmx353.exe' in 'c:\Program Files\Shareaza\Downloads'
Found 'dmoz.org.ico' in 'c:\Program Files\Opera\profile\images'
Found 'Kazaa.exe' in 'c:\Program Files\KaZaA Lite'
Found 'uninstall.exe' in 'c:\Program Files\Liberty BASIC v4.0'
Found '' in 'c:\Program Files\WinMX'
Found 'WinMX.exe' in 'c:\Program Files\WinMX'
Found 'uninstall.exe' in 'c:\Program Files\WinMX'
Found 'errcatch.exe' in 'c:\Program Files\WinMX'
Found 'Kazaa.exe' in 'c:\My Documents\installation files\kazaalite_202_b1\second stage'
Programs in Memory
Internet URL Shortcuts
Internet Cookies
Found 'targetnet.com' in 'Internet Explorer Cache'
Found 'about.com' in 'Internet Explorer Cache'
Found 'aaddzz.com' in 'Internet Explorer Cache'
Found 'bfast.com' in 'Internet Explorer Cache'
Found 'centrport.net' in 'Internet Explorer Cache'
Found 'as1.falkag.de' in 'Internet Explorer Cache'
Found 'ads.specificpop.com' in 'Internet Explorer Cache'
Found 'hypercount.com' in 'Internet Explorer Cache'
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Found 'zedo.com' in 'Internet Explorer Cache'
Found 'imrworldwide.com' in 'Internet Explorer Cache'
Found 'go.com' in 'Internet Explorer Cache'
Found 'hypertracker.com' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'adtech.de' in 'Internet Explorer Cache'
Found 'atdmt.com' in 'Internet Explorer Cache'
Found 'valueclick.com' in 'Internet Explorer Cache'
Found 'hc2.humanclick.com' in 'Internet Explorer Cache'
Found 'ad-flow.com' in 'Internet Explorer Cache'
Found 'questionmarket.com' in 'Internet Explorer Cache'
Found 'euniverseads.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'servedby.advertising.com' in 'Internet Explorer Cache'
Found 'com.com' in 'Internet Explorer Cache'
Found 'www.web-stat.com' in 'Internet Explorer Cache'
Found 'realmedia.com' in 'Internet Explorer Cache'
Found 'paycounter.com' in 'Internet Explorer Cache'
Found 'twci.coremetrics.com' in 'Internet Explorer Cache'
Found 'counter.hitslink.com' in 'Internet Explorer Cache'
Found 'ad-logics.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Found 'www.addfreestats.com' in 'Internet Explorer Cache'
Found 'findwhat.com' in 'Internet Explorer Cache'
Found 'exitexchange.com' in 'Internet Explorer Cache'
Found 'landing.domainsponsor.com' in 'Internet Explorer Cache'
Found 'z1.adserver.com' in 'Internet Explorer Cache'
Found 'adopt.hotbar.com' in 'Internet Explorer Cache'
Found 'adorigin.com' in 'Internet Explorer Cache'
Found 'citi.bridgetrack.com' in 'Internet Explorer Cache'
Found '2o7.net' in 'Internet Explorer Cache'
Found 'track-star.com' in 'Internet Explorer Cache'
Found 'www.popuptraffic.com' in 'Internet Explorer Cache'
Found 'casalemedia.com' in 'Internet Explorer Cache'
Found 'www2.addfreestats.com' in 'Internet Explorer Cache'
Found 'tradedoubler.com' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Found 'edge.ru4.com' in 'Internet Explorer Cache'
Found 'trafficmp.com' in 'Internet Explorer Cache'
Found '7search.com' in 'Internet Explorer Cache'
Found 'data.coremetrics.com' in 'Internet Explorer Cache'
Found 'pro-market.net' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'ads.addynamix.com' in 'Internet Explorer Cache'
Found 'spylog.com' in 'Internet Explorer Cache'
Found 'doubleclick.net' in 'Internet Explorer Cache'
Found 'www.anewmessenger.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'adopt.specificclick.net' in 'Internet Explorer Cache'
Found 'revenue.net' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'maxserving.com' in 'Internet Explorer Cache'
Found 'azjmp.com' in 'Internet Explorer Cache'
Found 'serving-sys.com' in 'Internet Explorer Cache'
Found 'statcounter.com' in 'Internet Explorer Cache'
Found 'offeroptimizer.com' in 'Internet Explorer Cache'
Found 'sirsearch.com' in 'Internet Explorer Cache'
Found 'domainsponsor.com' in 'Internet Explorer Cache'
Found 'bannerspace.com' in 'Internet Explorer Cache'
Found 'rightmedia.net' in 'Internet Explorer Cache'
Found 'adopt.precisead.com' in 'Internet Explorer Cache'
Found 'ads.pointroll.com' in 'Internet Explorer Cache'
Found 'fastclick.net' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'www.spookylinks.com' in 'Internet Explorer Cache'
Found 'insightfirst.com' in 'Internet Explorer Cache'
Found 'cookie.tickle.com' in 'Internet Explorer Cache'
Found 'perf.overture.com' in 'Internet Explorer Cache'
Found 'mediaplex.com' in 'Internet Explorer Cache'
Found 'hitbox.com' in 'Internet Explorer Cache'
Found 'advertising.com' in 'Internet Explorer Cache'
Found 'adultfriendfinder.com' in 'Internet Explorer Cache'
Found 'server.iad.liveperson.net' in 'Internet Explorer Cache'
Found 'tickle.com' in 'Internet Explorer Cache'
Found 'bluestreak.com' in 'Internet Explorer Cache'
Found 'keywordmax.com' in 'Internet Explorer Cache'
Found 'insightexpressai.com' in 'Internet Explorer Cache'
Windows Registry
Found '' in 'SOFTWARE\Oska Educational Systems\DeskMates'
Found '' in 'SOFTWARE\Classes\ed2k'
Found '' in 'SOFTWARE\Classes\ed2k\DefaultIcon'
Found '' in 'SOFTWARE\Classes\ed2k\shell\open\command'
Found '' in 'SOFTWARE\New.net'
Found '' in 'SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297}'
Found '' in 'SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\DyFuCA_BH.SinkObj'
Found '' in 'SOFTWARE\Classes\DyFuCA_BH.SinkObj.1'
Found '' in 'SOFTWARE\Classes\DyFuCA_BH.SinkObj.1\CLSID'
Found '' in 'SOFTWARE\Classes\DyFuCA_BH.SinkObj\CLSID'
Found '' in 'SOFTWARE\Classes\DyFuCA_BH.SinkObj\CurVer'
Found '' in 'SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}'
Found '' in 'SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}\TypeLib'
Found '' in 'SOFTWARE\Avenue Media'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Download Accelerator'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found '' in 'SOFTWARE\Classes\Bridge.brdg'
Found '' in 'SOFTWARE\Classes\Bridge.brdg.1'
Found '' in 'SOFTWARE\Classes\Bridge.brdg.1\CLSID'
Found '' in 'SOFTWARE\Classes\Bridge.brdg\CLSID'
Found '' in 'SOFTWARE\Classes\Bridge.brdg\CurVer'
Found '' in 'SOFTWARE\Classes\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}\1.0\HELPDIR'
Found '' in 'Software\PowerScan'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge'
Found '' in 'SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1'
Found '' in 'SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1\CLSID'
Found '' in 'SOFTWARE\twaintec'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564EA119}'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564EA119}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564EA119}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564EA119}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}'
Found '' in 'SOFTWARE\Classes\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}'
Found '' in 'SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\TypeLib'
Found '' in 'SOFTWARE\Classes\BrowserHelperObject.BAHelper'
Found '' in 'SOFTWARE\Classes\BrowserHelperObject.BAHelper.1'
Found '' in 'SOFTWARE\Classes\BrowserHelperObject.BAHelper.1\CLSID'
Found '' in 'SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID'
Found '' in 'SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297}\InprocServer32'
Found '' in 'SOFTWARE\Classes\SideFind.Finder'
Found '' in 'SOFTWARE\Classes\SideFind.Finder.1'
Found '' in 'SOFTWARE\Classes\SideFind.Finder.1\CLSID'
Found '' in 'SOFTWARE\Classes\SideFind.Finder\CLSID'
Found '' in 'SOFTWARE\Classes\SideFind.Finder\CurVer'
Found '' in 'SOFTWARE\SideFind'
Found 'account_id' in 'SOFTWARE\SideFind'
Found 'InstallDate' in 'SOFTWARE\SideFind'
Found 'PathBHO' in 'SOFTWARE\SideFind'
Found 'PathDLL' in 'SOFTWARE\SideFind'
Found 'PathEXE' in 'SOFTWARE\SideFind'
Found 'PathXML' in 'SOFTWARE\SideFind'
Found 'TT4C5ntrSTransac' in 'SOFTWARE\twaintec'
Found 'TT4N5a6tionSCode' in 'SOFTWARE\twaintec'
Found 'TTC4n5tFyl' in 'SOFTWARE\twaintec'
Found 'TTC4n5trMsgSDisp' in 'SOFTWARE\twaintec'
Found 'TTC4n5trSEvnt' in 'SOFTWARE\twaintec'
Found 'TTC4S5Insur' in 'SOFTWARE\twaintec'
Found 'TTC4u5rrentSMode' in 'SOFTWARE\twaintec'
Found 'TTD4s5tSCHost' in 'SOFTWARE\twaintec'
Found 'TTD4s5tSCPath' in 'SOFTWARE\twaintec'
Found 'TTD4s5tSSEnd' in 'SOFTWARE\twaintec'
Found 'TTI4d5OfSDist' in 'SOFTWARE\twaintec'
Found 'TTI4d5OfSInst' in 'SOFTWARE\twaintec'
Found 'TTI4g5noreS' in 'SOFTWARE\twaintec'
Found 'TTI4n5ProgSCab' in 'SOFTWARE\twaintec'
Found 'TTI4n5ProgSEx' in 'SOFTWARE\twaintec'
Found 'TTI4n5ProgSLstest' in 'SOFTWARE\twaintec'
Found 'TTL3a4stMotsSDay' in 'SOFTWARE\twaintec'
Found 'TTL3a4stSSChckin' in 'SOFTWARE\twaintec'
Found 'TTM4o5deSSync' in 'SOFTWARE\twaintec'
Found 'TTS4t5atusOfSInst' in 'SOFTWARE\twaintec'
Found 'TTs4t5i6cky1S' in 'SOFTWARE\twaintec'
Found 'TTs4t5icky2S' in 'SOFTWARE\twaintec'
Found 'TTT4h5rshSBath' in 'SOFTWARE\twaintec'
Found 'TTT4h5rshSCheckSIn' in 'SOFTWARE\twaintec'
Found 'TTT4h5rshSMots' in 'SOFTWARE\twaintec'
Found 'TTT4h5rshSysSInf' in 'SOFTWARE\twaintec'
Found 'TTT4o5pListSPos' in 'SOFTWARE\twaintec'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found 'account_id' in 'Software\PowerScan'
Found '' in 'SOFTWARE\Classes\ADP.UrlCatcher'
Found '' in 'SOFTWARE\Classes\ADP.UrlCatcher.1'
Found '' in 'SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID'
Found '' in 'SOFTWARE\Classes\ADP.UrlCatcher\CLSID'
Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}'
Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32'
Found '' in 'Software\sais'
Found '' in 'SOFTWARE\Microsoft\SideFind'
Found '' in 'SOFTWARE\Classes\CB.UrlCatcher'
Found '' in 'SOFTWARE\Classes\CB.UrlCatcher.1'
Found '' in 'SOFTWARE\Classes\CB.UrlCatcher.1\CLSID'
Found '' in 'SOFTWARE\Classes\CB.UrlCatcher\CLSID'
Found '' in 'SOFTWARE\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}'
Found '' in 'SOFTWARE\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}'
Found '' in 'SOFTWARE\Classes\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID'
Found '' in 'SOFTWARE\Classes\NLS.UrlCatcher'
Found '' in 'SOFTWARE\Classes\NLS.UrlCatcher.1'
Found '' in 'SOFTWARE\Classes\NLS.UrlCatcher.1\CLSID'
Found '' in 'SOFTWARE\Classes\NLS.UrlCatcher\CLSID'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\InprocServer32'
Found 'ThreadingModel' in 'SOFTWARE\Classes\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\TypeLib'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543}'
Found '' in 'SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}'
Found '' in 'SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{DDAF2479-6F00-4599-998A-3ED75686C6D0}'
Found '' in 'SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\Programmable'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinMX'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Found '' in 'ADP.UrlCatcher.1'
Found '' in 'ADP.UrlCatcher'
Found '' in 'Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}'
Found '' in 'TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}'
Found '' in 'Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}'
Found '' in 'CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}'
Found '' in 'CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}'
Found '' in 'Interface\{8EEE58D5-130E-4CBD-9C83-35A0564EA119}'
Found '' in 'NLS.UrlCatcher.1'
Found '' in 'NLS.UrlCatcher'
Found '' in 'Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}'
Found '' in 'Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}'
Found '' in 'TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}'
Found '' in 'CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'c:\_RESTORE\TEMP\A0026668.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0026668.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0026668.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0026668.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0026673.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0026673.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0026673.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0026673.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0026724.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0026724.CPY' in startup areas.
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0026724.CPY' requires a reboot.
Cleaning 'c:\_RESTORE\TEMP\A0026724.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0026724.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0026729.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0026729.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0026729.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0026729.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0026730.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0026730.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0026730.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0026730.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0026789.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0026789.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0026789.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0026789.CPY' requires a reboot.
Checking for 'c:\_RESTORE\TEMP\A0026796.CPY' in shortcut areas.
Checking for 'c:\_RESTORE\TEMP\A0026796.CPY' in startup areas.
Cleaning 'c:\_RESTORE\TEMP\A0026796.CPY'
[SCANMODS] WARNING: Deletion of the file 'c:\_RESTORE\TEMP\A0026796.CPY' requires a reboot.
Checking for 'c:\WINDOWS\SYSTEM\ide21201.vxd' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\ide21201.vxd' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\ide21201.vxd'
Checking for 'c:\WINDOWS\SYSTEM\EXDL.EXE' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\EXDL.EXE' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\EXDL.EXE'
Checking for 'c:\WINDOWS\SYSTEM\bbchk.exe' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\bbchk.exe' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\bbchk.exe'
Checking for 'c:\WINDOWS\SYSTEM\apuc.dll' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\apuc.dll' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\apuc.dll'
Checking for 'c:\WINDOWS\SYSTEM\msbe.dll' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\msbe.dll' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\msbe.dll'
Checking for 'c:\WINDOWS\SYSTEM\nvms.dll' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\nvms.dll' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\nvms.dll'
Checking for 'c:\WINDOWS\SYSTEM\mscb.dll' in shortcut areas.
Checking for 'c:\WINDOWS\SYSTEM\mscb.dll' in startup areas.
Cleaning 'c:\WINDOWS\SYSTEM\mscb.dll'
Checking for 'c:\WINDOWS\INF\BELT.INF' in shortcut areas.
Checking for 'c:\WINDOWS\INF\BELT.INF' in startup areas.
Cleaning 'c:\WINDOWS\INF\BELT.INF'
Checking for 'c:\WINDOWS\INF\BIINI.INF' in shortcut areas.
Checking for 'c:\WINDOWS\INF\BIINI.INF' in startup areas.
Cleaning 'c:\WINDOWS\INF\BIINI.INF'
Checking for 'c:\WINDOWS\INF\TWTINI.INF' in shortcut areas.
Checking for 'c:\WINDOWS\INF\TWTINI.INF' in startup areas.
Cleaning 'c:\WINDOWS\INF\TWTINI.INF'
Checking for 'c:\WINDOWS\INF\ALCHEM.INF' in shortcut areas.
Checking for 'c:\WINDOWS\INF\ALCHEM.INF' in startup areas.
Cleaning 'c:\WINDOWS\INF\ALCHEM.INF'
Checking for 'c:\WINDOWS\Start Menu\Programs\WinMX' in shortcut areas.
Checking for 'c:\WINDOWS\Start Menu\Programs\WinMX' in startup areas.
Cleaning 'c:\WINDOWS\Start Menu\Programs\WinMX'
Checking for 'c:\WINDOWS\Start Menu\Programs\WinMX\WinMX.lnk' in shortcut areas.
Checking for 'c:\WINDOWS\Start Menu\Programs\WinMX\WinMX.lnk' in startup areas.
Cleaning 'c:\WINDOWS\Start Menu\Programs\WinMX\WinMX.lnk'
Checking for 'c:\WINDOWS\TEMP\bundle.inf' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\bundle.inf' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\bundle.inf'
Checking for 'c:\WINDOWS\TEMP\pav2207.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav2207.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav2207.TMP'
Checking for 'c:\WINDOWS\TEMP\pav2216.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav2216.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav2216.TMP'
Checking for 'c:\WINDOWS\TEMP\pav406D.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav406D.TMP' in startup areas.
Checking for 'c:\WINDOWS\TEMP\pav407A.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav407A.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav407A.TMP'
Checking for 'c:\WINDOWS\TEMP\pav407B.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav407B.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav407B.TMP'
Checking for 'c:\WINDOWS\TEMP\pav500F.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav500F.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav500F.TMP'
Checking for 'c:\WINDOWS\TEMP\pav506F.TMP' in shortcut areas.
Checking for 'c:\WINDOWS\TEMP\pav506F.TMP' in startup areas.
Cleaning 'c:\WINDOWS\TEMP\pav506F.TMP'
Checking for 'c:\WINDOWS\PREINSTT.EXE' in shortcut areas.
Checking for 'c:\WINDOWS\PREINSTT.EXE' in startup areas.
Cleaning 'c:\WINDOWS\PREINSTT.EXE'
Checking for 'c:\WINDOWS\NDNuninstall6_22.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall6_22.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall6_22.exe'
Checking for 'c:\WINDOWS\NDNuninstall6_10.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall6_10.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall6_10.exe'
Checking for 'c:\WINDOWS\NDNuninstall4_94.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall4_94.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall4_94.exe'
Checking for 'c:\WINDOWS\NDNuninstall5_40.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall5_40.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall5_40.exe'
Checking for 'c:\WINDOWS\NDNuninstall5_48.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall5_48.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall5_48.exe'
Checking for 'c:\WINDOWS\NDNUNINSTALL5_64.EXE' in shortcut areas.
Checking for 'c:\WINDOWS\NDNUNINSTALL5_64.EXE' in startup areas.
Cleaning 'c:\WINDOWS\NDNUNINSTALL5_64.EXE'
Checking for 'c:\WINDOWS\BI.INI' in shortcut areas.
Checking for 'c:\WINDOWS\BI.INI' in startup areas.
Cleaning 'c:\WINDOWS\BI.INI'
Checking for 'c:\WINDOWS\GPInstall.exe' in shortcut areas.
Checking for 'c:\WINDOWS\GPInstall.exe' in startup areas.
Cleaning 'c:\WINDOWS\GPInstall.exe'
Checking for 'c:\WINDOWS\TWAINTEC.INI' in shortcut areas.
Checking for 'c:\WINDOWS\TWAINTEC.INI' in startup areas.
Cleaning 'c:\WINDOWS\TWAINTEC.INI'
Checking for 'c:\WINDOWS\2_0_1browserhelper2.dll' in shortcut areas.
Checking for 'c:\WINDOWS\2_0_1browserhelper2.dll' in startup areas.
Cleaning 'c:\WINDOWS\2_0_1browserhelper2.dll'
Checking for 'c:\WINDOWS\NDNuninstall6_30.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall6_30.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall6_30.exe'
Checking for 'c:\WINDOWS\NDNuninstall6_38.exe' in shortcut areas.
Checking for 'c:\WINDOWS\NDNuninstall6_38.exe' in startup areas.
Cleaning 'c:\WINDOWS\NDNuninstall6_38.exe'
Checking for 'c:\WINDOWS\bbchk.exe' in shortcut areas.
Checking for 'c:\WINDOWS\bbchk.exe' in startup areas.
Cleaning 'c:\WINDOWS\bbchk.exe'
Checking for 'c:\Program Files\Shareaza\Downloads\hijackthis\backups\backup-20041017-184343-964.dll' in shortcut areas.
Checking for 'c:\Program Files\Shareaza\Downloads\hijackthis\backups\backup-20041017-184343-964.dll' in startup areas.
Cleaning 'c:\Program Files\Shareaza\Downloads\hijackthis\backups\backup-20041017-184343-964.dll'
Checking for 'c:\Program Files\Shareaza\Downloads\hijackthis\hijackthis 2\hijackthis\backups\backup-20050809-201423-295.dll' in shortcut areas.
Checking for 'c:\Program Files\Shareaza\Downloads\hijackthis\hijackthis 2\hijackthis\backups\backup-20050809-201423-295.dll' in startup areas.
Cleaning 'c:\Program Files\Shareaza\Downloads\hijackthis\hijackthis 2\hijackthis\backups\backup-20050809-201423-295.dll'
Checking for 'c:\Program Files\Shareaza\Downloads\winmx353.exe' in shortcut areas.
Checking for 'c:\Program Files\Shareaza\Downloads\winmx353.exe' in startup areas.
Cleaning 'c:\Program Files\Shareaza\Downloads\winmx353.exe'
Checking for 'c:\Program Files\Opera\profile\images\dmoz.org.ico' in shortcut areas.
Checking for 'c:\Program Files\Opera\profile\images\dmoz.org.ico' in startup areas.
Cleaning 'c:\Program Files\Opera\profile\images\dmoz.org.ico'
Checking for 'c:\Program Files\KaZaA Lite\Kazaa.exe' in shortcut areas.
Checking for 'c:\Program Files\KaZaA Lite\Kazaa.exe' in startup areas.
Cleaning 'c:\Program Files\KaZaA Lite\Kazaa.exe'
Checking for 'c:\Program Files\Liberty BASIC v4.0\uninstall.exe' in shortcut areas.
Found 'Uninstall.lnk' in 'C:\WINDOWS\Start Menu\Programs\Liberty BASIC v4.0\'
Checking for 'c:\Program Files\Liberty BASIC v4.0\uninstall.exe' in startup areas.
Cleaning 'c:\Program Files\Liberty BASIC v4.0\uninstall.exe'
Checking for 'c:\Program Files\WinMX' in shortcut areas.
Checking for 'c:\Program Files\WinMX' in startup areas.
Cleaning 'c:\Program Files\WinMX'
Checking for 'c:\Program Files\WinMX\WinMX.exe' in shortcut areas.
Found 'WinMX.lnk' in 'C:\WINDOWS\Start Menu\Programs\WinMX\'
Found 'WinMX.lnk' in 'C:\WINDOWS\Desktop\'
[SCANMODS] The file 'C:\WINDOWS\Start Menu\Programs\WinMX\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
Checking for 'c:\Program Files\WinMX\WinMX.exe' in startup areas.
Cleaning 'c:\Program Files\WinMX\WinMX.exe'
Checking for 'c:\Program Files\WinMX\license.txt' in shortcut areas.
Checking for 'c:\Program Files\WinMX\license.txt' in startup areas.
Cleaning 'c:\Program Files\WinMX\license.txt'
Checking for 'c:\Program Files\WinMX\uninstall.exe' in shortcut areas.
Checking for 'c:\Program Files\WinMX\uninstall.exe' in startup areas.
Cleaning 'c:\Program Files\WinMX\uninstall.exe'
Checking for 'c:\Program Files\WinMX\errcatch.exe' in shortcut areas.
Checking for 'c:\Program Files\WinMX\errcatch.exe' in startup areas.
Cleaning 'c:\Program Files\WinMX\errcatch.exe'
Checking for 'c:\Program Files\WinMX\wpnpchannelcmds.txt' in shortcut areas.
Checking for 'c:\Program Files\WinMX\wpnpchannelcmds.txt' in startup areas.
Cleaning 'c:\Program Files\WinMX\wpnpchannelcmds.txt'
Checking for 'c:\Program Files\WinMX\library.dat' in shortcut areas.
Checking for 'c:\Program Files\WinMX\library.dat' in startup areas.
Cleaning 'c:\Program Files\WinMX\library.dat'
Checking for 'c:\Program Files\WinMX\colors.dat' in shortcut areas.
Checking for 'c:\Program Files\WinMX\colors.dat' in startup areas.
Cleaning 'c:\Program Files\WinMX\colors.dat'
Checking for 'c:\Program Files\WinMX\settings.dat' in shortcut areas.
Checking for 'c:\Program Files\WinMX\settings.dat' in startup areas.
Cleaning 'c:\Program Files\WinMX\settings.dat'
Checking for 'c:\Program Files\WinMX\WinMX.exe' in shortcut areas.
Found 'WinMX.lnk' in 'C:\WINDOWS\Start Menu\Programs\WinMX\'
Found 'WinMX.lnk' in 'C:\WINDOWS\Desktop\'
[SCANMODS] The file 'C:\WINDOWS\Start Menu\Programs\WinMX\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
[SCANMODS] The file 'C:\WINDOWS\Desktop\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
Checking for 'c:\Program Files\WinMX\WinMX.exe' in startup areas.
Cleaning 'c:\Program Files\WinMX\WinMX.exe'
[SCANMODS] The file 'c:\Program Files\WinMX\WinMX.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'c:\Program Files\WinMX\uninstall.exe' in shortcut areas.
Checking for 'c:\Program Files\WinMX\uninstall.exe' in startup areas.
Cleaning 'c:\Program Files\WinMX\uninstall.exe'
[SCANMODS] The file 'c:\Program Files\WinMX\uninstall.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'c:\Program Files\WinMX\errcatch.exe' in shortcut areas.
Checking for 'c:\Program Files\WinMX\errcatch.exe' in startup areas.
Cleaning 'c:\Program Files\WinMX\errcatch.exe'
[SCANMODS] The file 'c:\Program Files\WinMX\errcatch.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'c:\My Documents\installation files\kazaalite_202_b1\second stage\Kazaa.exe' in shortcut areas.
Checking for 'c:\My Documents\installation files\kazaalite_202_b1\second stage\Kazaa.exe' in startup areas.
Cleaning 'c:\My Documents\installation files\kazaalite_202_b1\second stage\Kazaa.exe'
Finished Cleaning

[POADB]

I'll need the Panda results D-Day.

also - did you download and run KazaaBeGone??

[D-Day]

Sorry about the long wait. Yes I did run Kazaabegone like I mentioned in an earlier post I also had to use Winsock fix because of the bug so I don't know what's going on there. Also, when I try to post the panda log, i get an error from the website saying the operation lasted more then 30 seconds. I'm guessing the log might bo too long so I've cut out the reptitive parts. Here's the Panda log:
==========================================================

Incident Status Location

Adware:adware/wintools No disinfected C:\WINDOWS\UnstSA2.exe
Adware:adware/cws No disinfected Windows Registry
Adware:Adware/ExactSearch No disinfected C:\_RESTORE\TEMP\A0029532.CPY
Spyware:Spyware/BargainBuddy No disinfected C:\_RESTORE\TEMP\A0029534.CPY
Spyware:Spyware/BargainBuddy No disinfected C:\_RESTORE\TEMP\A0029535.CPY
Adware:Adware/ExactSearch No disinfected C:\_RESTORE\TEMP\A0029536.CPY
Spyware:Spyware/BargainBuddy No disinfected C:\_RESTORE\TEMP\A0029537.CPY
Spyware:Spyware/BetterInet No disinfected C:\_RESTORE\TEMP\A0029539.CPY
Adware:Adware/IPInsight No disinfected C:\_RESTORE\TEMP\A0029541.CPY
Adware:Adware/Twain-Tech No disinfected C:\_RESTORE\TEMP\A0029543.CPY
Spyware:Spyware/New.net No disinfected C:\_RESTORE\TEMP\A0029544.CPY
Spyware:Spyware/New.net No disinfected C:\_RESTORE\TEMP\A0029545.CPY
Spyware:Spyware/New.net No disinfected C:\_RESTORE\TEMP\A0029546.CPY
Spyware:Spyware/New.net No disinfected C:\_RESTORE\TEMP\A0029547.CPY
Spyware:Spyware/New.net No disinfected C:\_RESTORE\TEMP\A0029548.CPY
Spyware:Spyware/New.net No disinfected C:\_RESTORE\TEMP\A0029549.CPY
Adware:Adware/WinTools No disinfected C:\_RESTORE\TEMP\A0029553.CPY
Spyware:Spyware/New.net No disinfected C:\_RESTORE\TEMP\A0029554.CPY
Spyware:Spyware/New.net No disinfected C:\_RESTORE\TEMP\A0029555.CPY
Adware:Adware/WinTools No disinfected C:\_RESTORE\TEMP\A0029557.CPY
Spyware:Spyware/Bridge No disinfected C:\_RESTORE\TEMP\A0029558.CPY
Dialer:Dialer.BCA No disinfected C:\_RESTORE\TEMP\A0029637.CPY
Adware:Adware/ExactSearch No disinfected C:\_RESTORE\TEMP\EXUL.0
Virus:W32/Mywife.D.worm Disinfected C:\_RESTORE\TEMP\A0006194.CPY

Then there's a whole list of entries all Virus:W32/Mywife.D.worm Disinfected C:\_RESTORE\TEMP\A<some number>.CPY
They go from A0006194.CPY to A0027689.CPY

Virus:W32/Mywife.D.worm No disinfected C:\_RESTORE\ARCHIVE\FS10.CAB[A0001115.CPY]
This entry is repeated for FS1.CAB[AOOO0018.CPY] to FS55.CAB[A0006193.CPY]

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\TEMP\pavE386.TMP
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\TEMP\pavE3A1.TMP
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\TEMP\pavE3A6.TMP
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\TEMP\pavE3B2.TMP
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\TEMP\pavE3B4.TMP
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\pavF002.TMP
Adware:Adware/IPInsight No disinfected C:\WINDOWS\TEMP\pavF004.TMP
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TEMP\pavF006.TMP
Spyware:Spyware/New.net No disinfected C:\WINDOWS\TEMP\pavF011.TMP
Spyware:Spyware/New.net No disinfected C:\WINDOWS\TEMP\pavF013.TMP
Spyware:Spyware/New.net No disinfected C:\WINDOWS\TEMP\pavF015.TMP
Spyware:Spyware/New.net No disinfected C:\WINDOWS\TEMP\pavF021.TMP
Spyware:Spyware/New.net No disinfected C:\WINDOWS\TEMP\pavF023.TMP
Spyware:Spyware/New.net No disinfected C:\WINDOWS\TEMP\pavF024.TMP
Adware:Adware/WinTools No disinfected C:\WINDOWS\TEMP\pavF054.TMP
Spyware:Spyware/New.net No disinfected C:\WINDOWS\TEMP\pavF063.TMP
Spyware:Spyware/New.net No disinfected C:\WINDOWS\TEMP\pavF065.TMP
Adware:Adware/WinTools No disinfected C:\WINDOWS\TEMP\pavF073.TMP
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\TEMP\pavF074.TMP
Dialer:Dialer.BCA No disinfected C:\WINDOWS\TEMP\pavF1D5.TMP
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\TEMP\pav0153.TMP
Virus:W32/Mywife.D.worm Disinfected C:\WINDOWS\TEMP\pav270.TMP
Then a lot of entries similar to the last one above where the smallest file no. is pav012E.TMP and the largest file no. is pavF40A.TMP
This takes up the majority of the log.

Virus:W32/Mywife.D.worm No disinfected C:\WINDOWS\TEMP\pav12ED.TMP[A0001115.CPY]
There's a list of entries similar to the last one above running from pav12ED.TMP[A0001115.CPY] to pav8136.TMP[A0001934.CPY]

Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\RegDload.dll
Adware:Adware/BlazeFind No disinfected C:\WINDOWS\UnstSA2.exe
Virus:W32/Mywife.D.worm Disinfected C:\WINDOWS\Task.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\wsem300.dll
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\wsem301.dll
Virus:W32/Mywife.D.worm Disinfected C:\Program Files\Internet Explorer\Media Player.exe
Adware:Adware/GXB No disinfected C:\Program Files\Shareaza\Downloads\hijackthis\hijackthis 2\hijackthis\backups\backup-20050809-201423-554.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Shareaza\Downloads\hijackthis\hijackthis 2\hijackthis\backups\backup-20050809-201423-617.inf
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\KaZaA Lite\bdcore.dll.updpnd
==========================================================
That's it, I hope I gave you enough info to go on, the log won't go on any other way.

[POADB]

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Please download CleanUp! (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Do not run it yet!

Reboot your comouter into Safe Mode.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\Downloaded Program Files\RegDload.dll
C:\WINDOWS\UnstSA2.exe
C:\WINDOWS\Task.exe
C:\WINDOWS\wsem300.dll
C:\WINDOWS\wsem301.dll
C:\Program Files\Internet Explorer\Media Player.exe
C:\Program Files\Shareaza\Downloads\hijackthis\hijackthis 2\hijackthis\backups\backup-20050809-201423-554.dll
C:\Program Files\Shareaza\Downloads\hijackthis\hijackthis 2\hijackthis\backups\backup-20050809-201423-617.inf
C:\Program Files\KaZaA Lite

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep stored in these locations, Move them now!!!

Locate the following folders and make sure they are empty!!

C:\WINDOWS\TEMP\
C:\_RESTORE\

If you are unsure on how to empty a folder, open up Windows Explorer. In the left coloumn, click the C drive and then click on the relative folder down the list. For example, the Windows folder. The contents should display in the right window. Double click the TEMP folder and it's contents should now show. Go to Edit > Selcect All and then press Delete on your keyboard. Do the same in the _RESTORE folder.


Reboot your computer. Re run Panda - the log should now be significantly shorter!

[D-Day]

Let it be known that I did exactly everything that you said in your earlier posts. I realize that the problem was that I had Windows Restore enabled and the files could only be if it was disabled. For the sake of people reading who don't know how to do this: while in Control Panel, double click System then click Performance>File System>Troubleshooting then put a check next to "Disable System Restore", restart the computer when prompted. But anyways, both the _RESTORE and WINDOWS\TEMP folders are now empty. I'll put the panda scan log in my next post.

[D-Day]

Hey you were right, the panda scan is significantly shorter! Only one entry.

Incident Status Location

Adware:adware/cws No disinfected Windows Registry

[POADB]

Hello again D-Day.

Your log is clean. Well done
Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Clear Java Cache

1. Click Start >Settings>Control Panel
2. Click the Java Plugin Icon
3. Click the Cache tab
4. Click the Clear button and click OK to confirm

Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun Java's cache.


Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[D-Day]

Thanks a million POADB , everything's working smoothly. From now on I'll be a lot more careful. Thanks again.