smsse.exe not found, RPC Error and Continual Pop Ups

TomWescott · 01-09-2006, 03:34 PM

These things are going on and I cannot get rid of them with Spybot Search and Destroy, Spyware Blaster or Nortons. I ran the HJThis program and posted the log below in the hopes that some you gentlemen or ladies may be able to assist me with my problems.

Logfile of HijackThis v1.99.1
Scan saved at 5:19:38 PM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\system32\sms_msn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\temp\salm.exe
C:\WINDOWS\wdskctl.exe
C:\Program Files\snss\snss.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\system32\msxct.exe
C:\WINDOWS\z00098.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\APD123.exe
C:\WINDOWS\vezod.exe
C:\Program Files\Network\network.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Program Files\sf\sf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\orwf\orwfm.exe
C:\WINDOWS\nwf.exe
C:\PROGRA~1\COMMON~1\orwf\orwfa.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\System Files\System.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\COMMON~1\orwf\orwfl.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iglide.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {DB4D32DD-ED6D-22D6-25D2-D3C84203C374} - C:\WINDOWS\ghbosuyv.dll
R3 - URLSearchHook: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - C:\WINDOWS\System32\zkcqfqaq.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - C:\WINDOWS\System32\zkcqfqaq.dll
F2 - REG:system.ini: Shell=Explorer.exe smsse.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O2 - BHO: (no name) - {2B8DFA48-CA00-3CE6-1565-ED0A5B7BBB5D} - C:\WINDOWS\ghbosuyv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsk29.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - C:\WINDOWS\System32\zkcqfqaq.dll
O2 - BHO: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - C:\WINDOWS\System32\zkcqfqaq.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - (no file)
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {EF7AC596-721D-2D17-0A4D-354348C9EA68} - C:\WINDOWS\ghbosuyv.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\l4dsds.exe reg_run
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00098.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\System32\APD123.exe
O4 - HKLM\..\Run: [vezod] C:\WINDOWS\vezod.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\Run: [Tgtubun] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [orwf] C:\PROGRA~1\COMMON~1\orwf\orwfm.exe
O4 - HKCU\..\Run: [nwf] C:\WINDOWS\nwf.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0003.exe
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins009.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

rikkker · 01-09-2006, 08:20 PM

Hi and Welcome to TSF

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

rikkker · 01-10-2006, 09:13 PM

Thanks for being so patient

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

==========================================================

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

==========================================================

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't good at all. They collect information about you and your usage. We recommend uninstalling it.

==========================================================

Additonal Downloads

Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections. Visit Window's Update to get the KB912919 patch.

--------------------

Right click on this link DelO15Domains.inf and choose Save As. Save it to
your desktop.

-------------------

Please download Cleanup! and install it. Do NOT run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

-------------------

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

-------------------

Download this removal tool for Adware.IEPlugin and save it to you desktop.

------------------

Download and install Ewido Security Suite

When installing, under "Additional Options

" uncheck.. Install background guard
" uncheck.. Install scan via context menu

Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
When you have finished updating, EXIT Ewido

If you are having problems with the updater, you can use this link to manually update Ewido

------------------

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

==========================================================

Download KillBox (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:
delete on Reboot
Select all the filenames listed below & then right-click & select Copy

C:\WINDOWS\IA\command.exe
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\system32\sms_msn.exe
C:\temp\salm.exe
C:\WINDOWS\wdskctl.exe
C:\Program Files\snss\snss.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\system32\msxct.exe
C:\WINDOWS\z00098.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\APD123.exe
C:\WINDOWS\vezod.exe
C:\Program Files\Network\network.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Program Files\sf\sf.exe
C:\PROGRA~1\COMMON~1\orwf\orwfm.exe
C:\WINDOWS\nwf.exe
C:\PROGRA~1\COMMON~1\orwf\orwfa.exe
C:\Program Files\System Files\System.exe
C:\PROGRA~1\COMMON~1\orwf\orwfl.exe
C:\windows\rlvknlg.exe
C:\WINDOWS\system32\l4dsds.exe
C:\WINDOWS\ghbosuyv.dll
C:\WINDOWS\System32\zkcqfqaq.dll
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\ghbosuyv.dll
C:\WINDOWS\System32\nsk29.dll
C:\WINDOWS\DH.dll
C:\WINDOWS\System32\WinNB57.dll
C:\WINDOWS\System32\wuauclt.dll

* Go to the File menu, and choose Paste from Clipboard
* Click the unregister .dll Before Deleting (if not greyed out)
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

==========================================================

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

==========================================================

Click Start->Run - type SERVICES.MSC & then click on the OK button [list=1][*]Locate the service - cmdService Double-click on it to open the Properties dialog.

Change the Startup type to Disabled & then click on the OK button

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "cmdService" & then click on the OK button

Answer No when prompted to reboot

==========================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

AutoUpdate
VBouncer
Media Access
WildTangent
BullsEye Network
MarketBrowser

==========================================================

Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {DB4D32DD-ED6D-22D6-25D2-D3C84203C374} - C:\WINDOWS\ghbosuyv.dll
R3 - URLSearchHook: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - C:\WINDOWS\System32\zkcqfqaq.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - C:\WINDOWS\System32\zkcqfqaq.dll
F2 - REG:system.ini: Shell=Explorer.exe smsse.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file)
O2 - BHO: (no name) - {2B8DFA48-CA00-3CE6-1565-ED0A5B7BBB5D} - C:\WINDOWS\ghbosuyv.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsk29.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - C:\WINDOWS\System32\zkcqfqaq.dll
O2 - BHO: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - C:\WINDOWS\System32\zkcqfqaq.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - (no file)
O3 - Toolbar: Search - {EF7AC596-721D-2D17-0A4D-354348C9EA68} - C:\WINDOWS\ghbosuyv.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\l4dsds.exe reg_run
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe"
O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe " -boot
O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00098.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\System32\APD123.exe
O4 - HKLM\..\Run: [vezod] C:\WINDOWS\vezod.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\Run: [Tgtubun] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [orwf] C:\PROGRA~1\COMMON~1\orwf\orwfm.exe
O4 - HKCU\..\Run: [nwf] C:\WINDOWS\nwf.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0003.exe
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins009.exe
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll

Please remember to close all other windows, including browsers then click Fix checked.

==========================================================

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\ IA
C:\Program Files\ snss
C:\Program Files\ AutoUpdate
C:\Program Files\ Network
C:\Program Files\ apsi
C:\Program Files\ sf
C:\PROGRA~1\COMMON~1\ orwf
smsse.exe<<<=you will have to search for this one.
msxct.exe <<<=you will have to search for this one.
C:\Program Files \Media Access
C:\Program Files\ WildTangent
C:\Program Files\ BullsEye Network
wuamgrd.exe <<<=you will have to search for this one.
PowerReg Scheduler V3.exe <<<=you will have to search for this one.
PowerReg Scheduler.exe <<<=you will have to search for this one.
C:\Program Files\ MarketBrowser

==========================================================

Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

==========================================================

Open Ad-aware and do a full scan. Remove all it finds.

==========================================================

Run Cleanup! using the following configuration:

Click Options...
Set the slider to Standard CleanUp!
Uncheck the following:
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
- Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program.
Do NOT Reboot/logoff when prompted.

* CleanUp! will not create any backups!!

==========================================================

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC

==========================================================

Reboot your system in Normal Mode.

==========================================================

Do a HijackThis scan & place a check next to these items if they still exist.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\Run: [Tgtubun] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [orwf] C:\PROGRA~1\COMMON~1\orwf\orwfm.exe
O4 - HKCU\..\Run: [nwf] C:\WINDOWS\nwf.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"

Close hijackthis.

==========================================================

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

==========================================================

In your next post i will need fresh logs from:

1)HijackThis
2)Ewido log
3)Kaspersky scan

TomWescott · 01-14-2006, 06:49 AM

Not sure if I got the Kaspersky right or not as it only offered online virus scanner and nothing on that scanner said if it fixed the problems or not..

Sorry it took so long. And I want to say thanks for the help you are giving.

Kaspersky Log
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, January 14, 2006 08:36:10
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/01/2006
Kaspersky Anti-Virus database records: 161292
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 111918
Number of viruses found: 42
Number of infected objects: 213
Number of suspicious objects: 1
Duration of the scan process: 7453 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr52C8 Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xgij.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.be
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\!update-3195[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.be
C:\Program Files\apsi\wtta.exe Infected: Trojan-Downloader.Win32.PurityScan.be
C:\Program Files\Norton AntiVirus\Quarantine\014D0C44.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\02EF60A9.exe Infected: Backdoor.Win32.IRCBot.az
C:\Program Files\Norton AntiVirus\Quarantine\03EF0554.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton AntiVirus\Quarantine\05953A81.pif Infected: Trojan-Downloader.BAT.Ftp.z
C:\Program Files\Norton AntiVirus\Quarantine\0598647E.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\059B0E7A.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\059F3876.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\05A26273.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\05A50C6F.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\05A8366C.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\05AC6068.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\05AF0A64.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\080E0BC8.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\08562779 Infected: Trojan-Downloader.BAT.Ftp.c
C:\Program Files\Norton AntiVirus\Quarantine\090358BB.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\095F04C3.exe Infected: Trojan-Downloader.Win32.Apropo.ai
C:\Program Files\Norton AntiVirus\Quarantine\0A993FAA.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\0B980FA2.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\0D7600D5.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\0E7645EB.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\128168AA.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\Program Files\Norton AntiVirus\Quarantine\128168AA.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\Program Files\Norton AntiVirus\Quarantine\14D146D5.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\15674996.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\15841A47.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\168D4651.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\18BB17EC.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\1A0601E9.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\1CA46C43.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\23C43E3E.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\24D76F8D.tmp Infected: Trojan-Downloader.VBS.Psyme.x
C:\Program Files\Norton AntiVirus\Quarantine\25963DE8.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\2790251C.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\312779E7.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\3179040A.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\399F6004.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\39ED4FAE.dll Infected: Trojan-Downloader.Win32.Apropo.ah
C:\Program Files\Norton AntiVirus\Quarantine\39ED4FAE.exe Infected: Trojan-Downloader.Win32.Apropo.ab
C:\Program Files\Norton AntiVirus\Quarantine\39F423A6.exe Infected: Trojan-Dropper.Win32.Agent.hv
C:\Program Files\Norton AntiVirus\Quarantine\3A014B98.exe Infected: Trojan-Downloader.Win32.Dyfuca.du
C:\Program Files\Norton AntiVirus\Quarantine\402703D2.exe Infected: Backdoor.Win32.IRCBot.az
C:\Program Files\Norton AntiVirus\Quarantine\44EE7B99.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\47E41349.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\Program Files\Norton AntiVirus\Quarantine\482C2EFA.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\Program Files\Norton AntiVirus\Quarantine\4A1957AE.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\4B1827A6.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\4C0F4D95.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\4C18779E.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\50AB3A01.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\5258398D.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\Program Files\Norton AntiVirus\Quarantine\52D45175.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton AntiVirus\Quarantine\543E23EA.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\5CD42E92.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\5FCE5FE9.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\68FC2323.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\6B5F1BE7.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\6D390AF0.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\74595CEC.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\752517B3.exe Infected: Net-Worm.Win32.Sasser.d
C:\Program Files\Norton AntiVirus\Quarantine\7B6A1A57.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\7E62172F.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046906.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046907.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046908.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046909.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046910.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046911.sys Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046958.exe Infected: Trojan-Downloader.Win32.PurityScan.au
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048112.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048116.exe Infected: Trojan-Dropper.Win32.Agent.abb
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048119.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048124.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0051134.exe Infected: Trojan-Downloader.Win32.PurityScan.bb
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052136.exe Infected: Trojan-Downloader.Win32.Qoologic.al
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052143.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052144.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052146.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052148.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052188.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052311.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052312.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052313.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052328.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052331.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052333.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052334.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052350.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052351.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052352.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052367.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052368.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052370.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052384.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052385.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052387.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052403.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052404.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052405.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052432.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052434.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052435.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052457.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052459.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052460.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052462.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP75\A0052475.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP75\A0052689.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP75\A0052690.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP75\A0052694.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP76\A0052699.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP76\A0052700.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP76\A0052701.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP76\A0052702.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052718.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052719.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052721.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052722.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052733.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052735.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052736.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052737.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052761.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052762.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052763.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052764.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052783.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052784.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052785.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052786.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052797.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052798.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052799.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052800.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052884.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052885.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052887.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052890.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP90\A0053419.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP90\A0053422.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP90\A0053424.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056681.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056683.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056684.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056685.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056776.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056777.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056778.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056779.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP93\A0056809.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP93\A0056810.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP93\A0056811.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP93\A0056812.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP94\A0056854.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP94\A0056855.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP94\A0056856.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP94\A0056857.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056917.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056928.exe Infected: Trojan-Downloader.Win32.PurityScan.ax
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056931.exe Infected: Trojan.Win32.Favadd.o
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056936.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056941.dll Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056943.dll Infected: Trojan-Downloader.Win32.Qoologic.ae
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056956.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056957.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056958.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056982.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056983.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056984.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056998.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057000.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057009.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057011.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057014.exe Infected: Trojan-Dropper.Win32.Agent.afl
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057026.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057030.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057030.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057032.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057126.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057128.exe Infected: Trojan-Downloader.Win32.Agent.aaf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057129.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057138.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057145.exe Infected: Trojan-Downloader.Win32.Agent.aaf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057147.exe Infected: Trojan-Dropper.Win32.Juntador.c
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057150.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057151.exe Infected: Trojan-Downloader.Win32.TSUpdate.o
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057153.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057154.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057162.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057163.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057258.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057259.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057260.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057343.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057344.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057373.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057375.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057376.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057377.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\WINDOWS\system32\cmd.ftp Infected: Trojan-Downloader.BAT.Ftp.u
C:\WINDOWS\system32\crtpes15.dll Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\system32\epanuii.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\WINDOWS\system32\fdcdbjj.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\WINDOWS\system32\frlwk.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\pbvky.dat Infected: Trojan-Downloader.Win32.Qoologic.be
C:\WINDOWS\system32\queecsvc.dll Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\system32\wrkcop.exe Infected: Trojan-Downloader.Win32.Qoologic.be

Scan process completed.

##############################################################

Ewido Log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:36:52 PM, 1/13/2006
+ Report-Checksum: 3AD97EBF

+ Scan result:

HKLM\SOFTWARE\Classes\drs.n -> Adware.Searchforit : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKU\.DEFAULT\Software\Effective-i -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\.DEFAULT\Software\Effective-i\TheSearchAccelerator -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\.DEFAULT\Software\Effective-i\TheSearchAccelerator\IE5 -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\.DEFAULT\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\.DEFAULT\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-18\Software\Effective-i -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-18\Software\Effective-i\TheSearchAccelerator -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-18\Software\Effective-i\TheSearchAccelerator\IE5 -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-18\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-18\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
[2036] C:\WINDOWS\system32\skgsdff.dll -> Downloader.Qoologic.ac : Cleaned with backup
[844] C:\WINDOWS\system32\skgsdff.dll -> Downloader.Qoologic.ac : Error during cleaning
C:\Documents and Settings\Owner\Desktop\eins005.exe -> Downloader.Adload.k : Cleaned with backup
C:\freecontentz.exe -> Spyware.CrazyWin : Cleaned with backup
C:\Program Files\Cas2Stub\cas2stub.exe -> Downloader.Agent.aaf : Cleaned with backup
C:\Program Files\InetGet2\MTE3MTk6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\Program Files\System Files\plugin.dll -> Adware.CASClient : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\webhdll.dll -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.exe -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whiehlpr.dll -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whInstaller.exe -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whSurvey.exe -> Adware.Webhancer : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Downloader.Small.cdo : Cleaned with backup
C:\Program Files\Yazzle Sudoku\Sudoku.exe -> Dropper.VB.kk : Cleaned with backup
C:\WINDOWS\dikwkyfe.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\dlgb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N57M2811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N57M2811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5_0001_N57M2811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N57M2112NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N57M2811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\hfogqipf.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\mynexus.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\system\sngsh35.dll -> Spyware.AdBlaster : Cleaned with backup
C:\WINDOWS\system32\dist001.exe -> Downloader.Agent.aaf : Cleaned with backup
C:\WINDOWS\system32\mdie.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\mpsetup.exe -> Backdoor.Pest.31 : Cleaned with backup
C:\WINDOWS\system32\ngsh35.dll -> Spyware.AdBlaster : Cleaned with backup
C:\WINDOWS\system32\nsz18.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\pbvky.dat -> Downloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\rk.bin -> Spyware.RK : Cleaned with backup
C:\WINDOWS\system32\sate.exe -> Downloader.IstBar : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> Downloader.Small : Cleaned with backup
C:\WINDOWS\ts.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\WINDOWS\wh.exe/whAgent.exe -> Spyware.WebHancer : Cleaned with backup

::Report End

##############################################################

HiJack This Log

Logfile of HijackThis v1.99.1
Scan saved at 6:47:37 PM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\l?gonui.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HPCENT~1\137903\Program\BACKWE~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SoftwareDistribution\Download\dca9d8a1ecbaf4bd0e18d083156f30c9\update\update.exe
G:\Sherilyn's Computer\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iglide.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {DB4D32DD-ED6D-22D6-25D2-D3C84203C374} - C:\WINDOWS\ghbosuyv.dll (file missing)
R3 - URLSearchHook: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\l4dsds.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

rikkker · 01-15-2006, 11:50 AM

Hi Tom,you got Kaspersky right.All it does is id the bad guys for us.

Also it is important that you run BFU and Ewido again in the order that i have listed as your computer was badly infected and we want to make sure they get what they missed on the first pass.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

====================Additional Downloads=================

Please download Cleanup! and install it. <<<=Skip this step if you still have it installed. Do NOT run it yet.

* CleanUp! will not create any backups!!

If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

----------------------

Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
When you have finished updating, EXIT Ewido

If you are having problems with the updater, you can use this link to manually update Ewido

--------------------

Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

--------------------

Download Track qoo (TQ.zip) http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

----------------------

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip <<<=if you still have it installed skip this step.
Run the program and click the Web button as shown here:

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Checkmark the following boxes:

Use settings specified in script for the above option
Show log after script ends

Execute the script by clicking the Execute button.

When it finishes running, click the Save button for a copy of the log
Post the log created by the script when you have completed the fix

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

----------------------

Download KillBox (it's important that you get version v2.0.0.175) <<<=skip this step if you still have it installed.

Launch KillBox.exe & select the following options:
delete on Reboot
Select all the filenames listed below & then right-click & select Copy

C:\WINDOWS\system32\cmd.ftp
C:\WINDOWS\system32\crtpes15.dll
C:\WINDOWS\system32\epanuii.dll
C:\WINDOWS\system32\fdcdbjj.exe
C:\WINDOWS\system32\frlwk.dll
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe
C:\WINDOWS\system32\pbvky.dat
C:\WINDOWS\system32\queecsvc.dll
C:\WINDOWS\system32\skgsdff.dll
C:\WINDOWS\system32\wrkcop.exe
C:\WINDOWS\ghbosuyv.dll
C:\WINDOWS\system32\l4dsds.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr52C8
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xgij.exe
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\!update-3195[1].0000

* Go to the File menu, and choose Paste from Clipboard
* Click the unregister .dll Before Deleting (if not greyed out)
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

====================Reboot to Safe Mode=================

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

========================Hjt Fixes======================

Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {DB4D32DD-ED6D-22D6-25D2-D3C84203C374} - C:\WINDOWS\ghbosuyv.dll (file missing)
R3 - URLSearchHook: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - (no file)
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\l4dsds.exe reg_run
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O15 - Trusted Zone: *.elitemediagroup.net

Please remember to close all other windows, including browsers then click Fix checked.

===================File and Folder Deletions================

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\ apsi
C:\WINDOWS\System32\ l?gonui.exe <<<=if you find 2 logonui.exe in the system32 folder, the legit one is less than 100KB .and the the bad one is usually 400+ KB.

=======================Tools==========================

Run Cleanup! using the following configuration:

Click Options...
Set the slider to Standard CleanUp!
Uncheck the following:
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
- Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program.
Do NOT Reboot/logoff when prompted.

* CleanUp! will not create any backups!!

==========================================================

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

==========================================================

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

-----------------

==========================================================

Reboot your system in Normal Mode.

==========================================================

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

==========================================================

Empty your Norton quarantine folder.

*If you do not know how to do this,please go Here

==========================================================

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJack This log.

==========================================================

In your next post i will need logs from:

1)HijackThis log
2)Bfu log
3)Ewido log
4)WinPFind.txt log
5)Track qoo.vbs log
6)Panda ActiveScan log

==========================================================

I resubscribed to the thread again.

TomWescott · 01-16-2006, 06:52 PM

Alrighty. With you so far.

HiJack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 8:42:28 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Messenger\msmsgs.exe
G:\Sherilyn's Computer\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iglide.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wrkcop.exe reg_run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#####################################################################################################

BFU Log:
BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 7:08:32 AM, on 1/16/2006

Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide3.dll (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF519.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Script completed.

######################################################################################################

Ewido Log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:25:50 PM, 1/16/2006
+ Report-Checksum: DF039B26

+ Scan result:

HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\adsh -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb\145 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb\150 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb\154 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb\156 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb\161 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb\163 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb\74 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\sfitb\76 -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\DR_S\dp\ts -> Adware.Searchforit : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\dsktb -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\dsktb\DesktopToolbar -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-359561344-2212233655-927890586-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup

::Report End

#####################################################################################################

WinPFind Log:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 3/4/2005 8:28:06 PM 14336 C:\MSBackgrd.exe
UPX! 3/6/2005 9:09:54 PM 11634 C:\NAVscanAP.exe
UPX! 3/6/2005 9:10:04 PM 19794 C:\W32mon.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 5/25/2005 6:49:18 PM 188935 C:\WINDOWS\filename.exe

Checking %System% folder...
PEC2 8/18/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 2/14/1997 10:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlb
PECompact2 1/4/2006 9:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 9:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 10/24/2001 9:44:12 PM 253440 C:\WINDOWS\SYSTEM32\RDBios32.DLL
winsync 8/18/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/16/2006 12:57:08 PM S 2048 C:\WINDOWS\bootstat.dat
1/16/2006 12:51:12 PM H 24 C:\WINDOWS\puJtf
1/8/2006 10:37:26 PM RHS 286777 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
12/23/2005 7:12:18 AM RHS 405504 C:\WINDOWS\system32\l?gonui.exe
11/30/2005 10:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 6:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 5:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/16/2006 12:56:56 PM H 8192 C:\WINDOWS\system32\config\default.LOG
1/16/2006 12:58:20 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/16/2006 12:57:10 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
1/16/2006 1:09:52 PM H 94208 C:\WINDOWS\system32\config\software.LOG
1/16/2006 1:08:50 PM H 1052672 C:\WINDOWS\system32\config\system.LOG
1/13/2006 6:51:22 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
1/8/2006 10:37:26 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
1/8/2006 10:37:26 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
1/8/2006 5:24:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\6a101796-14f6-4ba6-a49d-a94487432566
1/8/2006 5:24:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/16/2006 12:51:34 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/8/2001 1:00:08 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 3/26/2002 12:29:00 AM 106496 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 2/22/2003 4:07:18 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 8/26/1996 1:12:00 AM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc. 6/3/1998 9:08:36 AM 202240 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft 3/3/1999 1:10:02 AM 49152 C:\WINDOWS\SYSTEM32\speech.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 3/12/2002 4:23:58 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/22/2003 4:07:42 PM 842 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
4/19/2002 10:16:46 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
10/30/2005 7:41:08 AM 869 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk
1/8/2006 3:04:58 PM 1811 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp center.lnk
9/15/2002 1:18:18 PM 1212 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet v series) - 1.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/19/2002 3:08:38 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
4/19/2002 10:16:46 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/19/2002 3:08:38 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ftqxkmmg
{c9ba7733-def9-4c08-a536-6252d51444ab} = C:\WINDOWS\system32\frlwk.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp toolkit = C:\WINDOWS\System32\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = &hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = c:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = &hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
hpsysdrv c:\windows\system\hpsysdrv.exe
PreloadApp c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
KBD C:\HP\KBD\KBD.EXE
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
dla C:\WINDOWS\system32\dla\tfswctrl.exe
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz nwiz.exe /install
S3apphk S3apphk.exe
PS2 C:\WINDOWS\system32\ps2.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
winsync C:\WINDOWS\system32\wrkcop.exe reg_run
KernelFaultCheck %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Microsoft Works Update Detection c:\Program Files\Microsoft Works\WkDetect.exe
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
Creative Detector C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
Zero Knowledge Freedom C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/16/2006 5:34:13 PM

#####################################################################################################

Track Qoo Log:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"S3apphk"="S3apphk.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"winsync"="C:\\WINDOWS\\system32\\wrkcop.exe reg_run"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- ftqxkmmg
{c9ba7733-def9-4c08-a536-6252d51444ab}
C:\WINDOWS\system32\frlwk.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

America Online 7.0 Tray Icon.lnk
desktop.ini
hp center UI.lnk
hp center.lnk
HPAiODevice(hp officejet v series) - 1.lnk
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

America Online 7.0 Tray Icon.lnk
desktop.ini
hp center UI.lnk
hp center.lnk
HPAiODevice(hp officejet v series) - 1.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QTW32.CPL Apple Computer, Inc.
QuickTime.cpl Apple Computer, Inc.
speech.cpl Microsoft
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

######################################################################################################

Panda Log:

Incident Status Location

Adware:adware/ieplugin Not disinfected C:\Documents and Settings\Owner\Desktop\Desktop Toolbar
Adware:adware/consumeralertsystem Not disinfected C:\PROGRAM FILES\Cas2Stub
Adware:adware/maxifiles Not disinfected Windows Registry
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Yazzle Sudoku\uninstaller.exe
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\system32\c.bat
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\l?gonui.exe
Potentially unwanted tool:Application/Zango Not disinfected G:\Sherilyn's Computer\hijackthis\backups\backup-20060112-202955-923.inf

rikkker · 01-17-2006, 04:17 PM

Hi Tom

Could you please zip up these files and attach them to your next post.

C:\MSBackgrd.exe
C:\NAVscanAP.exe
C:\W32mon.exe

Let me know if you have any problems.

TomWescott · 01-17-2006, 04:49 PM

Here they are. I have to say thanks again, because this is wayyyyyyy over my head for trying to go this deep to get rid of these things.

edit: attachment taken/received

rikkker · 01-18-2006, 03:53 PM

Hi Tom

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

====================Additional Downloads=================

Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

Right click on this & select "Save As"DNSManual.bat
Doubleclick on DNSManual.bat & allow it to run.

---------------

Please download the attached file (rikkker.zip) at the bottom of this post and save it to your desktop.

---------------

Please download Cleanup! and install it.<<<=Skip this step if you still have it installed. Do NOT run it yet.

====================Reboot to Safe Mode=================

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

==================Show Hidden Files and Folders=================

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

===================File and Folder Deletions================

Delete the following in bold

C:\MSBackgrd.exe
C:\NAVscanAP.exe
C:\W32mon.exe
C:\WINDOWS\filename.exe
C:\WINDOWS\system32\frlwk.dll
C:\WINDOWS\system32\wrkcop.exe
C:\WINDOWS\system32\c.bat
C:\Documents and Settings\Owner\Desktop\Desktop Toolbar
C:\PROGRAM FILES\Cas2Stub
C:\Program Files\Yazzle Sudoku

=======================Tools==========================

Run Cleanup! using the following configuration:

Click Options...
Set the slider to Standard CleanUp!
Uncheck the following:
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
- Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program.
Do NOT Reboot/logoff when prompted.

* CleanUp! will not create any backups!!

----------------------

Open rikker.zip and double click on rikkker.bat and allow it run.It will produce a log C:\G_Purity.txt
I will need this log in your next post.

==========================================================

Reboot your system in Normal Mode.

==========================================================

In your next post i will need fresh logs from:
1)HijackThis
2)G_Purity.text

rikkker · 01-18-2006, 04:04 PM

Hi Tom Click on this,rikkker.zip if the file is not at the bottom of my previous post.

TomWescott · 01-18-2006, 06:15 PM

Quote:

Originally Posted by rikkker

Hi Tom Click on this,rikkker.zip if the file is not at the bottom of my previous post.

When I click on the rikkker.zip, it tells me that I do not have access to it.

tetonbob · 01-18-2006, 09:41 PM

TomWescott

Try this one.....follow Rikkker's instructions for it's use.

TomWescott · 01-19-2006, 11:20 AM

This part has me a little confused:

Quote:

Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

Right click on this & select "Save As"DNSManual.bat
Doubleclick on DNSManual.bat & allow it to run.

I click on the file while it is still zipped, tell it to run. A dos window pops up and disappears in a second or two. Am I then supposed to rename MVPS.bat as DNSManual and select it again to run?

rikkker · 01-19-2006, 11:32 AM

Quote:

Originally Posted by TomWescott

This part has me a little confused:

I click on the file while it is still zipped, tell it to run. A dos window pops up and disappears in a second or two. Am I then supposed to rename MVPS.bat as DNSManual and select it again to run?

Hi Tom sorry for the confusion.

Just right click on the "link and then click save as DNSManual.bat

Then doubleclick on DNSManual.bat & allow it to run.

TomWescott · 01-19-2006, 03:20 PM

Quote:

Originally Posted by rikkker

Hi Tom sorry for the confusion.

Just right click on the "link and then click save as DNSManual.bat

Then doubleclick on DNSManual.bat & allow it to run.

Sorry about that. Did not realize it was a link.

Here are the logs:

G-Purity:
--- EXISTING FILES ---

Volume in drive C is HP_PAVILION
Volume Serial Number is 5C42-0F7A

--- POST RUN FILES ---

Volume in drive C is HP_PAVILION
Volume Serial Number is 5C42-0F7A

Directory of C:\WINDOWS\system32

--- Additional Info ---

######################################

HiJack This:
Logfile of HijackThis v1.99.1
Scan saved at 5:17:33 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Messenger\msmsgs.exe
G:\Sherilyn's Computer\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iglide.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wrkcop.exe reg_run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

rikkker · 01-19-2006, 09:10 PM

Hi Tom

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

==========================================================

Do a HijackThis scan & place a check next to these items

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wrkcop.exe reg_run

Close HijackThis

==========================================================

Launch KillBox.exe & select the following options:
delete on Reboot
Select all the filenames listed below & then right-click & select Copy

C:\WINDOWS\system32\wrkcop.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

==========================================================

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

==========================================================

In your next post i will need fresh logs from:

1)HijackThis
2)Kaspersky Scan

TomWescott · 01-20-2006, 05:25 PM

Here are the logs you requested.

Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 20, 2006 19:21:11
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/01/2006
Kaspersky Anti-Virus database records: 172166
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 109660
Number of viruses found: 75
Number of infected objects: 288
Number of suspicious objects: 1
Duration of the scan process: 6391 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046906.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046907.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046908.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046909.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046910.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046911.sys Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046958.exe Infected: Trojan-Downloader.Win32.PurityScan.au
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046960.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP47\A0046962.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048110.exe Infected: not-a-virus:AdWare.Win32.VB.n
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048112.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048116.exe Infected: Trojan-Dropper.Win32.Agent.abb
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048119.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP49\A0048124.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0051134.exe Infected: Trojan-Downloader.Win32.PurityScan.bb
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052136.exe Infected: Trojan-Downloader.Win32.Qoologic.al
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052143.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052144.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052146.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP71\A0052148.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052188.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052311.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052312.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052313.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052328.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052331.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052333.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052334.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052350.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052351.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052352.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052367.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052368.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052370.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052384.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052385.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052387.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052403.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052404.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP72\A0052405.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052432.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052434.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052435.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052457.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052459.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052460.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP74\A0052462.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP75\A0052475.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP75\A0052689.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP75\A0052690.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP75\A0052694.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP76\A0052699.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP76\A0052700.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP76\A0052701.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP76\A0052702.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052718.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052719.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052721.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052722.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052733.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052735.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052736.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052737.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052746.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052746.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052746.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052761.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052762.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052763.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052764.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052783.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052784.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052785.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052786.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052797.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052798.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052799.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP77\A0052800.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052872.exe Infected: not-a-virus:AdWare.Win32.WinAD.am
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052873.exe Infected: not-a-virus:AdWare.Win32.WinAD.am
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052875.dll Infected: not-a-virus:AdWare.Win32.RK.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052884.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052885.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052887.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP78\A0052890.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP90\A0053419.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP90\A0053422.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP90\A0053424.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056681.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056683.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056684.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056685.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056776.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056777.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056778.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP92\A0056779.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP93\A0056809.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP93\A0056810.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP93\A0056811.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP93\A0056812.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP94\A0056854.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP94\A0056855.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP94\A0056856.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP94\A0056857.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056917.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056918.exe Infected: not-a-virus:AdWare.Win32.AdBlaster.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056928.exe Infected: Trojan-Downloader.Win32.PurityScan.ax
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056931.exe Infected: Trojan.Win32.Favadd.o
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056933.exe Infected: not-a-virus:AdWare.Win32.CASClient.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056935.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.p
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056936.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056937.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056938.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056941.dll Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056942.dll Infected: not-a-virus:AdWare.Win32.Mirar.b
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056943.dll Infected: Trojan-Downloader.Win32.Qoologic.ae
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056956.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056957.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056958.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056982.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056983.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056984.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0056998.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057000.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057002.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057004.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057005.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057007.exe/systb.dll Infected: not-a-virus:AdWare.Win32.ImiBar.c
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057007.exe/wdskctl.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057007.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057008.dll Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057009.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057011.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057012.exe Infected: not-a-virus:AdWare.Win32.ShopNav.g
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057013.exe Infected: not-a-virus:AdWare.Win32.Sahat.m
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057014.exe Infected: Trojan-Dropper.Win32.Agent.afl
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057019.exe Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057021.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057022.exe Infected: not-a-virus:AdWare.Win32.ISearch.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057023.dll Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057024.dll Infected: not-a-virus:AdWare.Win32.EZula.ca
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057025.dll Infected: not-a-virus:AdWare.Win32.EZula.ca
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057026.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057028.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057028.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057029.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057029.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057030.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057030.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057031.exe/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057031.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057031.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057031.exe Infected: not-a-virus:AdWare.Win32.Ucmore
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057032.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057034.dll Infected: not-a-virus:AdWare.Win32.Mirar.a
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057126.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057127.exe Infected: not-a-virus:AdWare.Win32.CrazyWin.c
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057128.exe Infected: Trojan-Downloader.Win32.Agent.aaf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057129.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057130.dll Infected: not-a-virus:AdWare.Win32.CASClient.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057132.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057133.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057135.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057136.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057137.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057138.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057139.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057141.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057142.exe Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057143.exe/getnexus.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057143.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057144.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057145.exe Infected: Trojan-Downloader.Win32.Agent.aaf
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057147.exe Infected: Trojan-Dropper.Win32.Juntador.c
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057148.dll Infected: not-a-virus:AdWare.Win32.AdBlaster.b
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057149.dll Infected: not-a-virus:AdWare.Win32.BHO.z
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057150.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057151.exe Infected: Trojan-Downloader.Win32.TSUpdate.o
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057152.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057152.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057152.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057152.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057152.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057152.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057152.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057153.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057154.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057162.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP95\A0057163.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057258.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057259.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057260.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057343.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057344.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057373.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057375.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057376.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0057377.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0058325.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0058326.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0058328.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP96\A0058329.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058338.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058339.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058340.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058341.dll Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058342.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058342.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058342.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058343.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058344.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058345.exe Infected: Trojan-Downloader.Win32.Qoologic.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP97\A0058397.exe Infected: Trojan-Downloader.Win32.PurityScan.be
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058514.pif Infected: Trojan-Downloader.BAT.Ftp.z
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058515.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058516.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058517.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058518.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058519.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058520.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058521.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058522.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058523.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058524.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058525.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058526.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058527.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058528.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058529.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058530.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058531.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058532.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058533.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058534.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058535.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058536.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058537.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058538.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058539.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058540.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058541.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058542.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058543.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058544.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058545.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058546.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058547.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058548.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058549.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058550.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058551.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058552.exe Infected: Trojan-Downloader.Win32.Apropo.ai
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058553.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058554.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058556.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058557.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058558.exe Infected: Trojan-Downloader.Win32.Apropo.ab
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058559.exe Infected: not-a-virus:AdWare.Win32.Wintol.ab
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058560.exe Infected: not-a-virus:AdWare.Win32.Wintol.ab
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058561.exe Infected: Trojan-Dropper.Win32.Agent.hv
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058562.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058563.exe Infected: Trojan-Downloader.Win32.Adload.k
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058564.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058565.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058566.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058567.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058568.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058569.exe Infected: Backdoor.Win32.IRCBot.az
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058570.exe Infected: Backdoor.Win32.IRCBot.az
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058571.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058572.vxd Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058573.exe Infected: not-a-virus:AdWare.Win32.WinAD.ab
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058574.exe Infected: Net-Worm.Win32.Sasser.d
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058575.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058576.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058577.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058578.exe Infected: Trojan-Downloader.Win32.Small.cdo
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058579.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058580.exe Infected: Trojan-Downloader.Win32.Dyfuca.du
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058581.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058582.dll Infected: not-a-virus:AdWare.Win32.WinAD.ab
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058583.exe Infected: not-a-virus:AdWare.Win32.WinAD.ab
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058584.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058585.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058591.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058592.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP98\A0058593.exe Infected: Backdoor.Win32.Rbot.gen
C:\WINDOWS\876056.exe Infected: not-a-virus:AdWare.Win32.Mirar.d

Scan process completed.

HiJack This:
Logfile of HijackThis v1.99.1
Scan saved at 7:22:29 PM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Messenger\msmsgs.exe
G:\Sherilyn's Computer\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iglide.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

rikkker · 01-21-2006, 09:43 AM

Hi Tom

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

=========================================================

Delete this file

C:\WINDOWS\876056.exe

=========================================================

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

==========================================================

In your next post i will need fresh logs from:

1)HijackThis

TomWescott · 01-21-2006, 10:15 AM

Here it is.

Logfile of HijackThis v1.99.1
Scan saved at 12:13:36 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Messenger\msmsgs.exe
G:\Sherilyn's Computer\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iglide.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

rikkker · 01-23-2006, 09:21 PM

Well done Tom Your log is clean. Any more problems? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.

Select the Security tab
Click once on the Internet icon so it becomes highlighted.
Select Custom Level .
- Change 'Download signed ActiveX controls' to Prompt
- Change 'Download unsigned ActiveX controls' to Disable
- Change 'Initialize and script ActiveX controls not marked as safe' to Disable
- Change 'Installation of desktop items' to Prompt
- Change 'Launching programs and files in an IFRAME' to Prompt
- Change 'Navigate sub-frames across different domains' to Prompt
- When all these changes have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
Select OK to exit the Internet Properties page.

Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Here are two very good free Antivirus products which are available:

Avast!

AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.Make sure that you only install one antivirus progarm as they can confict with each other.

FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

SpywareBlaster to help prevent spyware from installing in the first place.

SpywareGuard to catch and block spyware before it can execute.

SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here

AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here

MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Have a Safe and Happy computing day

Please respond to this thread one more time so we can mark this thread as resolved.

01-09-2006, 03:34 PM	#1 (permalink)
TomWescott Registered User Join Date: Jan 2006 Posts: 10 OS: Windows XP SP2	smsse.exe not found, RPC Error and Continual Pop Ups These things are going on and I cannot get rid of them with Spybot Search and Destroy, Spyware Blaster or Nortons. I ran the HJThis program and posted the log below in the hopes that some you gentlemen or ladies may be able to assist me with my problems. Logfile of HijackThis v1.99.1 Scan saved at 5:19:38 PM, on 1/9/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\IA\command.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\alg.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\S3apphk.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\WINDOWS\elitemediapop.exe C:\WINDOWS\system32\sms_msn.exe C:\WINDOWS\system32\wuauclt.exe C:\temp\salm.exe C:\WINDOWS\wdskctl.exe C:\Program Files\snss\snss.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\newfrn.exe C:\WINDOWS\system32\msxct.exe C:\WINDOWS\z00098.exe C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\System32\APD123.exe C:\WINDOWS\vezod.exe C:\Program Files\Network\network.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\apsi\wtta.exe C:\WINDOWS\System32\l?gonui.exe C:\Program Files\sf\sf.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\COMMON~1\orwf\orwfm.exe C:\WINDOWS\nwf.exe C:\PROGRA~1\COMMON~1\orwf\orwfa.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\System Files\System.exe C:\Program Files\America Online 7.0\aoltray.exe C:\Program Files\hp center\137903\Shadow\ShadowBar.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\Program Files\Common Files\Windows\services32.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\PROGRA~1\COMMON~1\orwf\orwfl.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iglide.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - {DB4D32DD-ED6D-22D6-25D2-D3C84203C374} - C:\WINDOWS\ghbosuyv.dll R3 - URLSearchHook: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - C:\WINDOWS\System32\zkcqfqaq.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - C:\WINDOWS\System32\zkcqfqaq.dll F2 - REG:system.ini: Shell=Explorer.exe smsse.exe O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {279A1B41-6CAC-4ABF-B39C-72C8E489F685} - (no file) O2 - BHO: (no name) - {2B8DFA48-CA00-3CE6-1565-ED0A5B7BBB5D} - C:\WINDOWS\ghbosuyv.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsk29.dll O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {DA55BCA6-7763-089E-1647-2850A65762C2} - C:\WINDOWS\System32\zkcqfqaq.dll O2 - BHO: (no name) - {DA55BCDD-7760-72EE-1646-2B50D65062C6} - C:\WINDOWS\System32\zkcqfqaq.dll O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - (no file) O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Search - {EF7AC596-721D-2D17-0A4D-354348C9EA68} - C:\WINDOWS\ghbosuyv.dll O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [S3apphk] S3apphk.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\l4dsds.exe reg_run O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE O4 - HKLM\..\Run: [snss Launcher] "C:\Program Files\snss\snss.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [OSS] C:\windows\rlvknlg.exe -boot O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe O4 - HKLM\..\Run: [msxct] msxct.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot O4 - HKLM\..\Run: [Contextual Tool] C:\WINDOWS\z00098.exe O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [APD123] C:\WINDOWS\System32\APD123.exe O4 - HKLM\..\Run: [vezod] C:\WINDOWS\vezod.exe O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr O4 - HKCU\..\Run: [Tgtubun] C:\WINDOWS\System32\l?gonui.exe O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe O4 - HKCU\..\Run: [orwf] C:\PROGRA~1\COMMON~1\orwf\orwfm.exe O4 - HKCU\..\Run: [nwf] C:\WINDOWS\nwf.exe O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe" O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.elitemediagroup.net O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0003.exe O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins009.exe O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

01-17-2006, 04:49 PM	#8 (permalink)
TomWescott Registered User Join Date: Jan 2006 Posts: 10 OS: Windows XP SP2	Here they are. I have to say thanks again, because this is wayyyyyyy over my head for trying to go this deep to get rid of these things. edit: attachment taken/received Last edited by sUBs; 01-18-2006 at 10:09 AM.

01-18-2006, 03:53 PM	#9 (permalink)
rikkker Registered User Join Date: Jul 2005 Location: Canada Posts: 213 OS: xp-pro	Hi Tom Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. ====================Additional Downloads================= Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run. Right click on this & select "Save As"DNSManual.bat Doubleclick on DNSManual.bat & allow it to run. --------------- Please download the attached file (rikkker.zip) at the bottom of this post and save it to your desktop. --------------- Please download Cleanup! and install it.<<<=Skip this step if you still have it installed. Do NOT run it yet. ====================Reboot to Safe Mode================= Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. ==================Show Hidden Files and Folders================= Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. ===================File and Folder Deletions================ Delete the following in bold C:\MSBackgrd.exe C:\NAVscanAP.exe C:\W32mon.exe C:\WINDOWS\filename.exe C:\WINDOWS\system32\frlwk.dll C:\WINDOWS\system32\wrkcop.exe C:\WINDOWS\system32\c.bat C:\Documents and Settings\Owner\Desktop\Desktop Toolbar C:\PROGRAM FILES\Cas2Stub C:\Program Files\Yazzle Sudoku =======================Tools========================== Run Cleanup! using the following configuration: Click Options... Set the slider to Standard CleanUp! Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! ---------------------- Open rikker.zip and double click on rikkker.bat and allow it run.It will produce a log C:\G_Purity.txt I will need this log in your next post. ========================================================== Reboot your system in Normal Mode. ========================================================== In your next post i will need fresh logs from: 1)HijackThis 2)G_Purity.text

01-18-2006, 09:41 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,559 OS: 2000 Pro; XP Pro; XP Home	TomWescott Try this one.....follow Rikkker's instructions for it's use. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message. Last edited by tetonbob; 09-19-2006 at 12:56 PM.

01-19-2006, 09:10 PM	#16 (permalink)
rikkker Registered User Join Date: Jul 2005 Location: Canada Posts: 213 OS: xp-pro	Hi Tom Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. ========================================================== Do a HijackThis scan & place a check next to these items O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wrkcop.exe reg_run Close HijackThis ========================================================== Launch KillBox.exe & select the following options: delete on Reboot Select all the filenames listed below & then right-click & select Copy C:\WINDOWS\system32\wrkcop.exe * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. ========================================================== Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan ========================================================== In your next post i will need fresh logs from: 1)HijackThis 2)Kaspersky Scan

01-09-2006, 08:20 PM	#2 (permalink)
rikkker Registered User Join Date: Jul 2005 Location: Canada Posts: 213 OS: xp-pro	Hi and Welcome to TSF I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please be patient with me during this time.

01-17-2006, 04:17 PM	#7 (permalink)
rikkker Registered User Join Date: Jul 2005 Location: Canada Posts: 213 OS: xp-pro	Hi Tom Could you please zip up these files and attach them to your next post. C:\MSBackgrd.exe C:\NAVscanAP.exe C:\W32mon.exe Let me know if you have any problems.

01-18-2006, 04:04 PM	#10 (permalink)
rikkker Registered User Join Date: Jul 2005 Location: Canada Posts: 213 OS: xp-pro	Hi Tom Click on this,rikkker.zip if the file is not at the bottom of my previous post.

01-21-2006, 09:43 AM	#18 (permalink)
rikkker Registered User Join Date: Jul 2005 Location: Canada Posts: 213 OS: xp-pro	Hi Tom Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. ========================================================= Delete this file C:\WINDOWS\876056.exe ========================================================= Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK ========================================================== In your next post i will need fresh logs from: 1)HijackThis

01-21-2006, 10:15 AM	#19 (permalink)
TomWescott Registered User Join Date: Jan 2006 Posts: 10 OS: Windows XP SP2	Here it is. Logfile of HijackThis v1.99.1 Scan saved at 12:13:36 PM, on 1/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\S3apphk.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\Program Files\Messenger\msmsgs.exe G:\Sherilyn's Computer\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iglide.net/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [S3apphk] S3apphk.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

01-23-2006, 09:21 PM	#20 (permalink)
rikkker Registered User Join Date: Jul 2005 Location: Canada Posts: 213 OS: xp-pro	Well done Tom Your log is clean. Any more problems? If not you should be good to go. We still have a few items to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources Here are two very good free Antivirus products which are available: Avast! AVG It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.Make sure that you only install one antivirus progarm as they can confict with each other. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein Have a Safe and Happy computing day Please respond to this thread one more time so we can mark this thread as resolved.