Multiple pop-ups on multiple user system

stretched · 01-10-2006, 01:38 PM

Greetings all! You guys helped me solve my "specific911" problem during the summer.

This post is about my childrens' computer:
A Dell Dimension 2400
WindowsXP,
it has multiple users,
DIALUP MODEM,

getting pop-ups from the following which I recognized so far:

the-best-promos.com
security-updater.com
static.egwn.net
products-news.com

maybe more that I did not see yet!!!

I followed directions in the HijackThis do this first thread by MicroBell (thanks for the previous help), what I did not do:

Did not get AVG yet, I know it scans good, but I thought I should try to get these things out first. If I should download it now I will.

Computer came with McAfee, but for some reason, I a can not update it, getting a loop of enter info here, as if it is not registered, and I am not sure yet, working on that. (The computer is legal and its software)

Getting Application Errors for:
pshwr.exe
EGACCESS_1068.dll

after start up.

Downloaded recent HijackThis, can only operate it in safe mode, maybe McAfee thinks its a virus, does not show correct icon for program in normal users, only in safe mode. If I log on a different user, it just appears as a exe box, and when I click it, McAfee is giving a message that there is a virus on the computer. I admit that I am having trouble with using McAfee and updating it.

Kids play "Runescape" online, and one of them runs "Warcraft"

I did some fixes with HijackThis yesterday, after that I had some trouble with the AOL settings, it is working now after investigating. A few entries in HIJACK I was afraid to fix even though they smelled real bad.

OK ran Lavasoft Adaware updated and VX addon, that fixed something, ran SpybotS&D fixed alot but for two Carpie Diem Vars and another AD something I forget. Said it would run on start up again but I think it is not fixing those two. Installed latest Spywareblaster yesterday too. Tried the Panda scan but I think it was not working because this computer USES DIAL UP MODEM.

Here is the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 2:12:55 PM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshicop.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italozgs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: ghbjcbjd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

OK thanking you in advance again!

Stretched

stretched · 01-10-2006, 05:30 PM

I will post another log from HJT and Panda.

I disabled the Windows and McAfee Firewalls and Pandascan is working now (I am on line on my other computer).

I also ran McAfee in Safemode and it "Fixed" Hijackthis.exe which it said was a version of W32 worm, it fixed it without my approval!

So I will have to download it again after the Panda scan is finished.

I will run Hijack this in the user mode if it works this time after I instal it, I hope it will work if I can keep McAfee turned off. Otherwise I will run Hijack this in safe mode again and post the log from it and Panda.

stretched · 01-10-2006, 06:32 PM

alright I could not run Hijack this in user mode, only safe mode, McAfee still thinks its a virus.

Here are the logs, and I'll wait for a response before doing anything else.

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\456\Cookies\456@ad.yieldmanager[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\456\Cookies\456@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\456\Cookies\456@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\456\Cookies\456@burstnet[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\456\Cookies\456@dist.belnk[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\456\Cookies\456@www.burstbeacon[1].txt
Adware:Adware/FCHelp Not disinfected C:\Documents and Settings\456\Local Settings\Temp\fcHelp.exe
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@2o7[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@64.62.232[1].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@abetterinternet[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@adopt.hbmediapro[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@ads.pointroll[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@ask[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@ath.belnk[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@btg.btgrab[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@burstnet[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@c.enhance[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@centrport[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@clickbank[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@cliks[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@doubleclick[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@kount[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@mediaplex[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@offeroptimizer[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@questionmarket[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@rightmedia[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@searchportal.information[2].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@spywarestormer[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@winfixer[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@www.burstbeacon[2].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@www48.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@xiti[1].txt
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Faizah\Local Settings\Temp\ExtractDLL.dll
Virus:Trj/Imiserv.D Disinfected C:\Documents and Settings\Faizah\Local Settings\Temp\wupdt.exe
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Guest\Cookies\guest@abetterinternet[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ask[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Cookies\guest@atdmt[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ath.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@belnk[2].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Guest\Cookies\guest@btg.btgrab[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Guest\Cookies\guest@cliks[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\guest@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@dist.belnk[1].txt
Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ilead.itrack[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Guest\Cookies\guest@offeroptimizer[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Guest\Cookies\guest@stats1.reliablestats[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Guest\Cookies\guest@winfixer[2].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@2o7[1].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@abetterinternet[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@adrevolver[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@advertising[2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@ask[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@ath.belnk[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@btg.btgrab[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@casalemedia[2].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@cliks[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@fastclick[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@go[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@offeroptimizer[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@realmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@searchportal.information[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@stats1.reliablestats[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@tribalfusion[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@valueclick[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@winfixer[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@xiti[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@2o7[2].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@abetterinternet[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@ask[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@btg.btgrab[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@centrport[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@cliks[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@com[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@offeroptimizer[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@tribalfusion[1].txt
Dialer:Dialer.DNS Not disinfected C:\Documents and Settings\Mommy\Local Settings\Temp\temp.frDA4A
Virus:Trj/LowZones.AA Disinfected C:\fdj.exe
Adware:Adware/EnhSrch Not disinfected C:\HJT\backups\backup-20060110-014730-776.dll
Adware:Adware/ActivShopper Not disinfected C:\HJT\backups\backup-20060110-014730-824.dll
Dialer:Dialer.B Not disinfected C:\HJT\backups\backup-20060110-014733-325.dll
Adware:Adware/Comet Not disinfected C:\HJT\backups\backup-20060110-014733-998.dll
Dialer:Dialer.FFQ Not disinfected C:\HJT\backups\backup-20060110-014734-117.dll
Adware:Adware/WUpd Not disinfected C:\HJT\backups\backup-20060110-014734-344.dll
Adware:Adware/Cmap Not disinfected C:\Program Files\CMAPP\Client\cmappclient.exe
Virus:Trj/Downloader.HCA Disinfected C:\Program Files\CMAPP\cmappstub.exe
Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\FCHelp.dll
Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\FCHelp.exe
Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\Uninstall.exe
Adware:Adware/WinTools Not disinfected C:\Program Files\knights_shiryu1\insthlp.dat
Adware:Adware/NaviPromo Not disinfected C:\Program Files\MailSkinner\OESkinner.dll
Adware:Adware/ActivShopper Not disinfected C:\Program Files\TBONAS\TBONcomp.dll
Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
Virus:Trj/Lowzones.KI Disinfected C:\runaplj.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\AuroraHandler.dll_tobedeleted
Adware:Adware/EnhSrch Not disinfected C:\WINDOWS\dinst.exe
Adware:adware/enhsrch Not disinfected C:\WINDOWS\dsr.exe
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Virus:Trj/Dropper.ME Disinfected C:\WINDOWS\mattyek.exe
Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat
Adware:Adware/Popper Not disinfected C:\WINDOWS\rjbherd.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV3.exe
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV4.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\kagtolwq.exe
Adware:adware/navipromo Not disinfected C:\WINDOWS\SYSTEM32\kagtolwq_nav.dat
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\lanbruns.exe
Virus:Trj/LowZones.AA Disinfected C:\WINDOWS\SYSTEM32\links.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\lyzfmgqu.exe
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsd253.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsd2CB.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nse256.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsg250.dll
Adware:Adware/PopupSearches Not disinfected C:\WINDOWS\SYSTEM32\nshAE0.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsn28F.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsu249.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsu2A2.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsxB91.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsy2C5.dll
Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsz2C8.dll
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\pshwr.exe
Dialer:Dialer.FGU Not disinfected C:\WINDOWS\SYSTEM32\sysnetsvc32.dll
Virus:Trj/Lowzones.KI Disinfected C:\WINDOWS\SYSTEM32\vmlib.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\vuwaqtf.exe
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\wirelanb.dll
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\zbvugea.exe
Logfile of HijackThis v1.99.1
Scan saved at 7:21:47 PM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshicop.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italozgs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - AppInit_DLLs: ghbjcbjd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Looks bad man...

stretched · 01-11-2006, 05:20 PM

Just bumping up the post thanx

tetonbob · 01-12-2006, 01:40 PM

You have to disable McAfee to run HJT in normal mode. It mistakenly thinks HJT is a virus. We need a normal mode log.

Since you're thinking of getting rid of McAfee, just uninstall it. A good free AV program, AVG is available. Download, install, update and run a full scan.

In the meantime, do this as well, to help get you started:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Ad-Aware® SE Personal Edition
*Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
Spybot Search & Destroy
CWShredder

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshicop.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italozgs.dll
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - AppInit_DLLs: ghbjcbjd.dll

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Delete the following Files/Folders if they exist:

C:\WINDOWS\system32\ pkshicop.dll
C:\WINDOWS\system32\ italozgs.dll
ghbjcbjd.dll<<<Find via Start>Search

Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

Run a new HijackThis scan. Save the log file and post it here.

Create a uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notebook onto your post

Please return with logs from:

Ewido
Panda
HJT
Uninstall list

stretched · 01-12-2006, 07:52 PM

OK, problems I had:

Removed McAfee, downloaded AVG, could not install it, during the install process it gave an error on a file, not sure what the trouble was.

After running everthing you said to run in safe mode, you told me to search for some programs, computer froze on search.

Had to reboot in safemode again, ran hijack this again and verified that the items previously removed by it in safemode were still not there. Then I seached for the dll files, and that other one, were not found, and I still have show hidden files checked and hide protected operating system, files unchecked.

Then I started in normal and did the rest as you said. So those were the only problems.

And the answer to: "How is it now" is got a couple of popups from the same as usual during all of this, and when getting on again now, after everything, so far one popup.

But I just came here did not surf for encounters. All the logs below:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:16:11 PM, 1/12/2006
+ Report-Checksum: 5C9C9D21

+ Scan result:

HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup
C:\HJT\backups\backup-20060110-014730-776.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\HJT\backups\backup-20060110-014730-824.dll -> Spyware.ActivShopper : Cleaned with backup
C:\HJT\backups\backup-20060110-014733-325.dll -> Dialer.Generic : Cleaned with backup
C:\HJT\backups\backup-20060110-014733-998.dll -> Spyware.Comet : Cleaned with backup
C:\HJT\backups\backup-20060110-014734-117.dll -> Dialer.Generic : Cleaned with backup
C:\HJT\backups\backup-20060110-014734-344.dll -> Spyware.WinAD : Cleaned with backup
C:\Program Files\CMAPP\Client\cmappclient.exe -> Spyware.CASClient : Cleaned with backup
C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll -> Adware.Agent : Cleaned with backup
C:\Program Files\Zango Programs\Zango Toolbar\ZangoTBUninstaller.exe -> Adware.180Solutions : Cleaned with backup
C:\WINDOWS\AuroraHandler.dll_tobedeleted -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dinst.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\rjbherd.exe -> Dropper.Agent.vl : Cleaned with backup
C:\WINDOWS\SYSTEM32\70tovmto.ini -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\SYSTEM32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\msplock32.dll -> Adware.NaviPromo : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsd253.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsd2CB.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nse256.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsg250.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nshAE0.dll -> Adware.EZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsn28F.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsu249.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsu2A2.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsxB91.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsy2C5.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsz2C8.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysnetsvc32.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\wirelanb.dll -> Spyware.SafeSurfing : Cleaned with backup

::Report End

ACTIVESCAN

Incident Status Location

Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\PSHWR.EXE
Adware:Adware/NaviPromo Not disinfected C:\Program Files\MailSkinner\OESkinner.dll
Adware:adware/bigtrafficnet Not disinfected c:\documents and settings\mommy\favorites\1111\1111.url
Spyware:spyware/safesurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV3.exe
Adware:adware/navipromo Not disinfected C:\WINDOWS\SYSTEM32\kagtolwq_nav.dat
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat
Dialer:dialer generic Not disinfected C:\PROGRAM FILES\dialers
Adware:adware/pacimedia Not disinfected c:\documents and settings\mommy\favorites\1111
Adware:adware/comet Not disinfected C:\Documents and Settings\Mommy\Application Data\Starware
Adware:adware/dyfuca Not disinfected C:\WINDOWS\STWSI
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ZANGO TOOLBAR
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\SOFTWARE\TOOLBAR
Adware:adware/activshopper Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected HKEY_CLASSES_ROOT\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Dialer:dialer.b Not disinfected HKEY_CLASSES_ROOT\CLSID\{C6760A07-A574-4705-B113-7856315922C3}
Adware:adware/transponder Not disinfected Windows Registry
Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\FCHelp.dll
Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\FCHelp.exe
Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\Uninstall.exe
Adware:Adware/WinTools Not disinfected C:\Program Files\knights_shiryu1\insthlp.dat
Adware:Adware/NaviPromo Not disinfected C:\Program Files\MailSkinner\OESkinner.dll
Adware:Adware/ActivShopper Not disinfected C:\Program Files\TBONAS\TBONcomp.dll
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV3.exe
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV4.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\kagtolwq.exe
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\lanbruns.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\lyzfmgqu.exe
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\pshwr.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\vuwaqtf.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\zbvugea.exe
Logfile of HijackThis v1.99.1Scan saved at 8:26:33 PM, on 1/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\program files\mailskinner\mailskinner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

UNINSTALL LIST

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
Banctec Service Agreement
BloodRayne Screen Saver Screen Saver
Broadcom Management Programs
CleanUp!
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support 5.0.0 (734)
EarthLink Setup Files
ewido anti-malware
FileZilla (remove only)
FlatOut Demo
GameSpy 3D
GameSpy Arcade
Get High Speed Internet!
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrfanView (remove only)
ItalMgr
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
JumpStart 1st Grade 2000
JumpStart 3rd Grade v1.0
JumpStart 3rd Grade v1.2
JumpStart 4th Grade v1.3
Jumpstart 5th Grade v1.2
JumpStart Kindergarten 98 v2.5
JumpStart Parent Resource Center
JumpStart Typing v1.1
kagtolwq
kjecuy
knights_shiryu1
LANBridge
Lavasoft VX2 Cleaner
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice for Microsoft Agent
lyzfmgqu
Macromedia Flash Player 8
MailSkinner
Math Blaster Ages 9-12
MCR_screensaver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2000 Premium
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
mm_saver ScreenSaver
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
Musicmatch for Windows Media Player
Musicmatch® Jukebox
Napster
Napster Burn Engine
Net Checkers 5
NetZero
NetZeroInstallers
Panda ActiveScan
PShow
QuickTime
QuickTime 3.0
Screensavers Installer
Search Assistant
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB912919)
SpellForce
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Sysnet
The Best Offers
The Spider-Man 2 Demo
TicTacToe
TotalAccess Smart Installer
Traitors Gate
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
WebSearch Tools
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
WordPerfect Office 12
Zango Toolbar
zbvugea

end of the unistall list.

I did run cleanup also it removed like, over a thousand files. I had run the windows disk clean recently...

Alright really appreciate your help again, thank you for taking the time.

(still) Stretched

tetonbob · 01-12-2006, 08:37 PM

This is something of a mess, and will take some time to clean. Since this is a multi-user system, be sure each log is from the same user, and the fix is run on only that user for now. We'll want to get logs from all users before we're done. *sigh*

What exact error message did AVG give, please?

You could try Avast! I use it, and like it.

Please print out these instructions.

Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:bfuEGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Please download dsrfix.zip from Atribune and save it to your desktop.

Double-Click on dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
Do Not open that folder yet.

I have attached a file to this post - regdel.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

Now reboot your system into safe mode.

Now open the folder dsrfix on your desktop.

Double-Click on dsrfix.bat
A window will pop up briefly then close, this is normal.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found:

The Best Offers
kagtolwq
kjecuy
knights_shiryu1
lyzfmgqu
MailSkinner
Viewpoint Media Player
WebSearch Tools
Zango Toolbar
zbvugea

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe

Delete these files/folders if they exist:

C:\Program Files\Toolbar
C:\Program Files\Common Files\WinTools
C:\Program Files\Best Offers
C:\Program Files\Viewpoint
C:\Program Files\Zango
C:\WINDOWS\SYSTEM32\PSHWR.EXE
C:\Program Files\MailSkinner\
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\kagtolwq_nav.dat
C:\WINDOWS\kwv2.dat
C:\WINDOWS\pcconfig.dat
C:\PROGRAM FILES\dialers
c:\documents and settings\mommy\favorites\1111
C:\Documents and Settings\Mommy\Application Data\Starware
C:\WINDOWS\STWSI
C:\Program Files\FCHelp
C:\Program Files\knights_shiryu1\insthlp.dat
C:\Program Files\TBONAS\TBONcomp.dll
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\InstallerV4.exe
C:\WINDOWS\SYSTEM32\kagtolwq.exe
C:\WINDOWS\SYSTEM32\lanbruns.exe
C:\WINDOWS\SYSTEM32\lyzfmgqu.exe
C:\WINDOWS\SYSTEM32\pshwr.exe
C:\WINDOWS\SYSTEM32\vuwaqtf.exe
C:\WINDOWS\SYSTEM32\zbvugea.exe

Reboot into normal mode now.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Follow the prompts to install the ActiveX controls
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

If it offers a way to save results, please do, and post them here.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

stretched · 01-13-2006, 01:57 PM

I have been doing everything you said, but right now I am having the "darndest" time with the trend micro site. At first, for some reason I noticed the widows firewall was on again, so I shut it off, but still after an hour there is nothing more than the page that comes up after clicking the bar on the top to ok the active x.

I will try to reboot, turn off the windows firewall if its on, and go on line and go to the link again, etc....

If Ican not get it to work I will go to the second scan link you listed.....

tetonbob · 01-13-2006, 02:21 PM

Please leave your firewall on!

If you cannot perform that scan, it is likely due to an ActiveX install setting in IE, NOT a firewall setting. I've noticed on my systems that it can take a long time to actually load the controls and begin the scan sometimes.

If it gives you that much trouble, ignore it for now, and move on to the Kaspersky scan.

stretched · 01-13-2006, 04:38 PM

Ok Mr. Bob. Let me start with the bonehead manouver:

I did what I said I was going to do, (!!!#@?) and when I saw your last message about 99% through the Kapersky scan I turned the firewall back on....(DA)

Now, you had asked about what message I was getting when installing AVG (I will get Avast too) here we go and it came while copying the files:

Local Machine: Installation failed
Installation:
Error: Action failed for registry key
HKLM\software\mircosoft\windows\currentversion\run\creating registry key....
Access is denied (5)

Alright, I had to hand write that and type it here, so it was "like" that.

I followed all of the directions with the exception of the bonehead manouver I mentioned above, and was not able to get Trend to work.

Many of the items were present that you told me to look for.

Regarding the command to look for and delete THE BEST OFFERS\
when selecting delete it opened an IE window whose address was c:\windows\boncpar.htm
and on the "page" it included:
"If you want to uninstall ...it can be removed by going to www.bestoffersnetworks.com/uninstall to get uninstall tool"

Now, I may be a bonehead, but...so I just ignored that and uttered some choice words.

When removing Zango from the Uninstall feature it gave a message that an error occured and it could be that it has already been unistalled do you want to remove it from the unistall list. I ignored that too, and said cancel.

In the HJT fix these were the only three that were found:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe

Regarding the files to delete:

C:\Program Files\Zango
C:\WINDOWS\SYSTEM32\PSHWR.EXE
C:\Program Files\MailSkinner\
C:\WINDOWS\SYSTEM32\InstallerV3.exe
I also deleted Installerv4 andInstallerv5
C:\WINDOWS\kwv2.dat
c:\documents and settings\mommy\favorites\1111
C:\WINDOWS\STWSI
C:\Program Files\FCHelp
C:\Program Files\knights_shiryu1\insthlp.dat
C:\Program Files\TBONAS\TBONcomp.dll
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\InstallerV4.exe
C:\WINDOWS\SYSTEM32\kagtolwq.exe
C:\WINDOWS\SYSTEM32\zbvugea.exe
also saw three dat files for the last one, did not delete them though (maybe another bonehead manouver)
I saw this:
C:\WINDOWS\SYSTEM32\kill all spyware
and it smells funny but I left it...
you said to look for lanbruns.exe did not see it but I saw lanbrup.exe and left it
I also discovered "virushunter4.exe" smelled funny too but I left it
this one too left it but:
zseyqgxmad.exe also with three dat files too.

Alright I think I wrote down everything I found and removed, but it could be that I removed one you ordered while not writting it.

Kapersky scan log to follow (post too long)

stretched · 01-13-2006, 04:40 PM

Here is the Kapersky scan log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 13, 2006 17:03:00
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/01/2006
Kaspersky Anti-Virus database records: 171008
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 96659
Number of viruses found: 50
Number of infected objects: 701
Number of suspicious objects: 0
Duration of the scan process: 3897 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-40baf3a5-412e74cc.class Infected: Trojan-Downloader.Java.OpenStream.y
C:\Program Files\CMAPP\Client\cmappupdate.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\Program Files\CMAPP\Client\cmappupdate.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\Program Files\CMAPP\Client\cmappupdate.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc12\TBONcomp.dll Infected: not-a-virus:AdWare.Win32.ActivShopper.c
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc13.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc2.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.s
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc5.exe/data0001 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc5.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc6.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc6.exe Infected: Backdoor.Win32.HacDef.bo
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP291\A0313805.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP291\A0313806.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP291\A0313833.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP291\A0313868.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP292\A0313949.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP292\A0313954.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP292\A0313971.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP292\A0313973.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP293\A0314078.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP293\A0314080.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP293\A0314105.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP293\A0314648.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP293\A0314650.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP293\A0314724.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP294\A0314727.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP294\A0314730.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP294\A0314768.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP295\A0314824.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP295\A0314826.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP295\A0314855.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP295\A0314906.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP295\A0315645.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP295\A0315646.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP295\A0315647.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP296\A0315683.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP296\A0315685.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP296\A0315710.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP296\A0315740.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP296\A0316648.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP296\A0316650.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0316714.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0316716.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0317642.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0317644.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318645.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318647.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318652.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318730.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318731.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318733.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318779.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318801.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0318802.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0319775.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0319776.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0319777.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0319779.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0320775.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0320778.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0320811.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0320825.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0320827.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0320847.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0320848.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0320866.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0320869.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0320900.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0320901.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0321866.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0321868.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0321883.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0322865.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0322888.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0322919.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0322922.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0322955.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0322956.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP299\A0322960.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP300\A0322969.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP300\A0322970.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP300\A0322988.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP300\A0322989.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP300\A0322990.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP300\A0323000.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP300\A0323935.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP300\A0323949.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0323955.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0323957.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0323973.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0324002.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0324023.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0324025.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0324026.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0325021.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0325024.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0325049.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0325065.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0325067.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0325069.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0325089.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0325092.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0325101.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0326020.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0326022.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0326023.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP302\A0326049.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0326061.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0326062.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0326064.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0326092.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0327021.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0327022.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0327023.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0327076.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP304\A0327089.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP304\A0327090.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP304\A0327092.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP304\A0327108.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP305\A0327186.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP305\A0327189.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP305\A0327250.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP305\A0327253.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP305\A0328056.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP305\A0328057.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP305\A0328058.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP305\A0328060.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0328090.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0328091.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0328161.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0328163.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0328217.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0328243.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0328247.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0328262.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0328284.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0328287.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0328291.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0328293.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0328322.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0328359.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP310\A0328364.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP310\A0328365.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP310\A0328367.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP310\A0328384.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP310\A0328421.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP310\A0328449.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP311\A0328463.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP311\A0328465.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP312\A0328572.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP312\A0328580.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP312\A0328669.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP312\A0328671.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP313\A0328679.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP313\A0328680.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP313\A0328704.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP314\A0328722.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP314\A0328723.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP314\A0329666.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP314\A0329668.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP314\A0330666.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP314\A0330669.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0330686.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0330688.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0331666.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0331668.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0331688.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0331698.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0331699.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0331702.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332666.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332667.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332669.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332682.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332699.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ao
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332700.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ao
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332701.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332701.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332701.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0332702.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP317\A0332745.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP317\A0332747.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP317\A0332762.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP317\A0332762.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP317\A0332763.dll Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP317\A0332764.dll Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0333679.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0333680.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0333682.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0334677.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0334679.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0334693.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0334693.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0335675.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0335678.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0336675.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0336677.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0337675.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0337678.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0338676.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0338677.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0339676.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0339678.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0340676.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0340678.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0341675.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0341677.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0342675.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0342682.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0343676.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0343677.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0344679.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0344690.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0344697.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345692.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345693.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345739.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345739.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345751.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345753.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345768.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345768.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345805.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345826.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0345829.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0346826.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0346828.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0347826.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0347829.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0348828.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0348829.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0348835.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0348837.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0349826.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0350826.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0350832.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0351826.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0351829.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0352828.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0352829.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0352883.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0352885.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0353826.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0353827.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0353830.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0353863.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0353893.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0353895.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0353899.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0353901.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0353919.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0353920.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0353921.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0353923.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0353926.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0353987.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354022.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354023.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354024.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354044.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354061.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354075.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354083.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354085.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354086.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0354087.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0354098.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0354101.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP324\A0354176.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP324\A0354178.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP324\A0354181.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP325\A0354231.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP325\A0354234.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP325\A0355083.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP325\A0355085.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP325\A0357101.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP325\A0357103.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0357108.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0357156.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0357157.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0357165.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0357166.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0357166.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0358085.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0358087.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0358159.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0358161.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0358181.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0358181.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0358214.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0358219.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0358220.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0358242.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0358255.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0358257.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0358275.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0359255.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0359257.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0359259.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0359388.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0359417.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0360255.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0360257.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0360258.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0360297.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0360300.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0360337.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ai
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0360395.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0360396.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0360399.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0360441.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0360441.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0360441.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0360442.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337\A0360465.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337\A0360466.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337\A0360467.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337\A0360469.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339\A0360587.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339\A0360589.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0360593.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0360598.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0360600.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0365395.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0365397.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0365405.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0365408.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341\A0365436.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341\A0365437.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341\A0365438.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341\A0365441.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341\A0366476.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341\A0366478.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341\A0366481.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0366524.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0366527.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0367436.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0367437.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0367440.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0367463.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0367465.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342\A0367474.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP343\A0368452.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP343\A0368453.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP343\A0368458.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP344\A0368501.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP344\A0369459.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP344\A0369484.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0369486.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0369487.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0369490.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0371452.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0371455.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0371456.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0371457.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0371473.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0371509.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0371511.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0372452.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0372454.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0372455.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0372458.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0372493.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0372528.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0372529.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0372530.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0372532.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0372567.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0372568.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0372569.exe Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0372570.exe Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0372600.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0372601.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0372602.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0372604.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0372625.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0372658.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372677.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372711.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372712.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372713.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372714.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372743.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372748.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372748.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0372748.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0372760.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0372762.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0372862.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0372876.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0372878.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0372880.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0372988.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0372989.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0372990.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0372991.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0372993.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352\A0372998.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352\A0372999.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352\A0373032.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352\A0373991.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352\A0373993.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0374000.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0374002.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0374967.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0374972.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0375000.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0375017.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0375017.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0375017.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0375018.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0375044.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0375046.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375078.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375079.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375081.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375105.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375112.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375123.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375142.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375143.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375144.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0375170.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0375186.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0375190.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0375209.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0375210.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0375233.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0375235.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0375239.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0376231.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0376232.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0376233.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0376235.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0376253.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0376254.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358\A0376297.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358\A0376302.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0376386.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0376388.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0377422.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0377425.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0379449.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0379451.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0379465.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0379482.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0379511.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0380511.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0380549.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0380557.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0380557.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0380557.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0380558.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0380559.dll Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362\A0380565.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362\A0380567.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0380586.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0380589.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0380611.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0380642.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0381511.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0381512.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0381513.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0381515.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0381531.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0381531.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0381531.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP364\A0381532.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0381644.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0382511.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0382512.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0382514.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0382524.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0382550.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0382568.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0382600.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0382604.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0383568.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP369\A0383571.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0383632.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0383636.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0384637.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0385651.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0385655.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0385658.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.l
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0385669.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0385669.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0385669.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0385670.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP370\A0385672.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0385723.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.l
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0386649.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0386651.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.k
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0386652.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0386669.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0386669.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0386669.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP371\A0386670.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0387667.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0387684.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0388626.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0388657.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP372\A0388683.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0388716.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0388726.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0389726.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0389742.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0389742.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0389742.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0389744.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0389745.dll Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0389770.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP373\A0389797.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\A0391842.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\A0391846.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.l
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\A0391847.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\A0391870.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\A0391870.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\A0391870.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\A0391871.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP374\A0391913.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP375\A0392893.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP375\A0392927.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP376\A0392960.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP376\A0392960.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP376\A0392960.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP376\A0392961.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP376\A0393893.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP377\A0393909.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP377\A0393940.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP377\A0393973.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP377\A0394939.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP377\A0394960.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP377\A0394989.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP378\A0395077.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP378\A0395089.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP378\A0395114.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP378\A0395117.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP379\A0395200.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP379\A0396255.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP379\A0396259.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP380\A0396322.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP380\A0396324.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP380\A0396388.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP380\A0397356.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP380\A0398357.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP381\A0398393.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP381\A0399363.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP381\A0399386.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP381\A0399402.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP381\A0400377.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP381\A0400447.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0400481.exe Infected: not-a-virus:AdWare.Win32.180Solutions.x
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0400482.dll Infected: not-a-virus:AdWare.Win32.180Solutions.s
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401366.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401367.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401370.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401380.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401382.exe Infected: not-a-virus:AdWare.Win32.WinAD.bo
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401387.dll Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401388.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401389.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401390.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401391.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401392.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401393.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401394.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401395.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401396.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401397.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401398.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401399.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401400.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401401.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401402.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401403.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0401406.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0402421.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0402424.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0402443.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0402474.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP382\A0402485.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP383\A0402507.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP383\A0403485.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP383\A0403488.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP383\A0403504.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP383\A0404512.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP383\A0404523.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP383\A0404526.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP384\A0404587.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP384\A0404590.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP384\A0405560.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP384\A0406594.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP384\A0406598.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP384\A0406599.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0407604.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0408561.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0409586.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0409590.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP385\A0410560.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP386\A0410667.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP386\A0411721.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP386\A0411742.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP386\A0411755.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP387\A0412844.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0412892.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0413195.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0413217.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0413226.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0413242.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0414226.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0415245.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0415248.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0416225.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0417226.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0417250.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0417277.dll Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0417285.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0417287.exe Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0418316.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0418345.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.r
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0418346.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP389\A0418357.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418410.dll Infected: not-a-virus:AdWare.Win32.ImiBar.h
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418411.dll Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418412.dll Infected: not-a-virus:Dialer.Win32.E-Group.q
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418413.dll Infected: not-a-virus:AdWare.Win32.Comet.c
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418414.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418455.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418480.dll Infected: not-a-virus:AdWare.Win32.EZula.bn
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418481.exe Infected: Trojan-Downloader.Win32.VB.hw
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418482.exe Infected: Trojan-Downloader.Win32.VB.pn
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418483.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418486.dll Infected: not-a-virus:AdWare.Win32.Comet.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418524.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418537.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418545.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418564.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0418582.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0419614.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420663.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420682.exe Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420683.exe Infected: Trojan-Downloader.Win32.Agent.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420684.exe Infected: Trojan.Win32.LowZones.cu
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420685.exe Infected: Trojan-Dropper.Win32.Agent.tb
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420686.exe Infected: Trojan.Win32.LowZones.df
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420687.exe Infected: Trojan.Win32.LowZones.cu
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420702.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420725.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP390\A0420736.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP391\A0420744.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP391\A0420761.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0420764.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0421762.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0421770.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0421920.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422358.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422359.dll Infected: not-a-virus:AdWare.Win32.Agent.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422363.dll Infected: not-a-virus:AdWare.Win32.ImiBar.h
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422364.dll Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422365.dll Infected: not-a-virus:Dialer.Win32.E-Group.q
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422366.dll Infected: not-a-virus:AdWare.Win32.Comet.c
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422367.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422368.dll Infected: not-a-virus:AdWare.Win32.WinAD.bg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422369.exe Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422370.dll Infected: not-a-virus:AdWare.Win32.Agent.c
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422372.exe Infected: Trojan-Downloader.Win32.Intexp.d
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422373.exe/dsr.dll Infected: not-a-virus:AdWare.Win32.ImiBar.h
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422373.exe Infected: not-a-virus:AdWare.Win32.ImiBar.h
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422374.exe Infected: Trojan-Dropper.Win32.Agent.vl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422375.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422376.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422377.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422378.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422379.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422380.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422381.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422382.dll Infected: not-a-virus:AdWare.Win32.EZula.bj
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422383.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422384.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422385.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422386.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422387.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422388.dll Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422389.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422390.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.q
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422391.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.r
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0422392.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.r
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0422438.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0422461.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0422466.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0422503.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.s
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0422510.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0422534.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe/stream Infected: Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\SYSTEM32\bwklcfan.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.d
C:\WINDOWS\SYSTEM32\lanbruns.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.i
C:\WINDOWS\SYSTEM32\lanbruns.exe Infected: Trojan-Downloader.NSIS.Agent.i
C:\WINDOWS\SYSTEM32\vuwaqtf.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.c

Scan process completed.

Well I can see that some of them are still there.....

(And again thank you for all of your assistance)

tetonbob · 01-13-2006, 06:44 PM

Somehow in all that, I failed to ask for a new HJT log. Please follow these instructions, and at the end, post a new HJT log, and a new Uninstall List.

Those questionable files you found are junk, and can be deleted, as can the Kaspersky finds. Do it in safe mode, as part of this fix.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Be sure to protect this system against the WMF exploit. No sense in trying to clean if this patch is not applied. See the link in my signature.

See this page for instructions on how to clear java's cache.

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Delete these files/folders

C:\Program Files\CMAPP
C:\WINDOWS\SYSTEM32\bwklcfan.exe
C:\WINDOWS\SYSTEM32\lanbruns.exe
C:\WINDOWS\SYSTEM32\vuwaqtf.exe

Next, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

stretched · 01-13-2006, 08:46 PM

I downloaded and installed the patch (thanx)

Did the clear and reset system restore cache...and the rest, however, when I tried to remove the hits in the Kapersky scan log - in safe mode after the other fixes you said, these would not delete:

C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc12\TBONcomp.dll Infected: not-a-virus:AdWare.Win32.ActivShopper.c
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc13.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc2.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.s
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc5.exe/data0001 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc5.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc6.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc6.exe Infected: Backdoor.Win32.HacDef.bo

I clicked select all delete and it acted like it was tossing them, then beep and a message can not delete (one of them) access denied may be in use by another user or program.....

Now, should I be trying to delete those files in \Recycler\ or the entire \RECYCLER\ file? That is not clear, but in any case could not delete the files.

Here are the logs: (thanx)

Logfile of HijackThis v1.99.1
Scan saved at 9:33:49 PM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [zseyqgxmad] c:\windows\system32\zseyqgxmad.exe zseyqgxmad
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

****************************

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Mommy\Desktop\aproposfix

************

Registry entries found:

************

No service found!

Removing hidden folder:
No folder found!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

Done!

Finished!

tetonbob · 01-13-2006, 09:20 PM

That's looking much better....you need to get an AV on that system, as you're currently unprotected. Here's a link to Avast!

Empty your Recycle bin to rid yourself of those Kasperky entries.

Run CleanUp again.

Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:bfuEGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

O4 - HKCU\..\Run: [zseyqgxmad] c:\windows\system32\zseyqgxmad.exe zseyqgxmad

Delete this file if present:

c:\windows\system32\zseyqgxmad.exe

If it resists deletion, boot to safe mode and delete it from there.

Post a new hijackthis log from normal mode when finished.

Post a new Uninstall List, using the previous instructions.

Run Kaspersky again, save the results, and post them here.

So, I need logs from:

HJT
Uninstall List
Kaspersky online Scan

stretched · 01-14-2006, 10:41 AM

I got avast and used it.
And I did the other things.

zseyqgxmad.exe was in the HJT so I checked to fix.

When manually looking, after making sure that show hidden files, etc. was still in effect, I could not see zseyqgxmad.exe, I also used the start/seach method and made sure to select search hidden, etc.

Here are the logs, and those last two are still on the uninstall list, and getting the same message that they may have been removed, do you want to remove them from the uninstall list, and still I did not, so if I should please let me know. I see Zango now when looking at the list, I did not click on that one...

Logfile of HijackThis v1.99.1
Scan saved at 11:22:48 AM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

UNINSTALL LIST

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
avast! Antivirus
Banctec Service Agreement
BloodRayne Screen Saver Screen Saver
Broadcom Management Programs
CleanUp!
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support 5.0.0 (734)
EarthLink Setup Files
ewido anti-malware
FileZilla (remove only)
FlatOut Demo
GameSpy 3D
GameSpy Arcade
Get High Speed Internet!
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrfanView (remove only)
ItalMgr
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
JumpStart 1st Grade 2000
JumpStart 3rd Grade v1.0
JumpStart 3rd Grade v1.2
JumpStart 4th Grade v1.3
Jumpstart 5th Grade v1.2
JumpStart Kindergarten 98 v2.5
JumpStart Parent Resource Center
JumpStart Typing v1.1
Kaspersky On-line Scanner
LANBridge
Lavasoft VX2 Cleaner
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice for Microsoft Agent
Macromedia Flash Player 8
Math Blaster Ages 9-12
MCR_screensaver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2000 Premium
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
mm_saver ScreenSaver
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
Musicmatch for Windows Media Player
Musicmatch® Jukebox
Napster
Napster Burn Engine
Net Checkers 5
NetZero
NetZeroInstallers
Panda ActiveScan
PShow
QuickTime
QuickTime 3.0
Screensavers Installer
Search Assistant
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
SpellForce
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Sysnet
The Best Offers
The Spider-Man 2 Demo
TicTacToe
TotalAccess Smart Installer
Traitors Gate
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Viewpoint Media Player
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
WordPerfect Office 12
Zango Toolbar
zbvugea
zseyqgxmad

END

Going to Kapersky now....will post log after

stretched · 01-14-2006, 11:50 AM

Note: No pop ups yet today.

Here is the Kapersky scan log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, January 14, 2006 12:47:36
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/01/2006
Kaspersky Anti-Virus database records: 171797
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 79286
Number of viruses found: 11
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 3550 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422654.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422655.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.d
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422657.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422657.exe Infected: Trojan-Downloader.NSIS.Agent.i
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422660.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.s
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422661.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.c
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422662.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422664.exe/data0001 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422664.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422665.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422665.exe Infected: Backdoor.Win32.HacDef.bo
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422671.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422671.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422671.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422674.dll Infected: not-a-virus:AdWare.Win32.ActivShopper.c
C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe/stream Infected: Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\WINDOWS\SYSTEM32\msclock32.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m

Scan process completed.

tetonbob · 01-14-2006, 02:51 PM

Grrr.....this is what Trend's AntiSpyware was good for...cleaning all these extras. You still can't run it? This will take a bit more time, but we're getting there.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Run a scan with HJT. Fix this entry if present:

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess

Boot to safe mode.

Try to Uninstall these programs from Add/Remove if present...if you get the same message that they may have been removed, do you want to remove them from the uninstall list, then tell it Yes.

The Best Offers
Zango Toolbar
zbvugea
zseyqgxmad

If any resist, or remain, do this with them:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Highlight the desired entries if present, then click "Delete"
When it asks if you are sure, click "Yes"

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 /u occache.dll

Delete these files if present:

C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe
C:\WINDOWS\SYSTEM32\msclock32.dll

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 occache.dll

Boot to normal mode.

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

Run a new scan with HJT. Save the log, and post it here.

Please return with logs from:

SpySweeper
HJT
Panda online scan

stretched · 01-14-2006, 03:27 PM

maybe after I adjusted settings trendmicro is working, it is acting different, I also followed the housecall link this time.

I will do that first if it works and post back if there is a log I will post that too....

stretched · 01-14-2006, 05:10 PM

ok, finally done that. I do not know what is supposed to happen with Trend micro is done the scan but the results came up and this is all that it said:

Detected vulnerabilities

+MS00-34
An error ocurred while trying to retieve more information about this vulnerability...

+MS01-028
An error ocurred while trying to retieve more information about this vulnerability...

That is all I got from it. So I did another HJT in case you would want that to see what happened:

Logfile of HijackThis v1.99.1
Scan saved at 6

05 PM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Now I will begin working on the other things, and my cable connected comupter is on the forum so if you post to tell me to do something else or not I can see that...

tetonbob · 01-14-2006, 06:20 PM

Hey, stretched -

I just realized my info about SpySweeper is out of date. There is no longer a free trial that cleans, it will only scan and then ask you to subscribe. If you've gotten that far already, see if you can bring back what it finds....you'll have to do it manually, I think. I just downloaded and ran it, and there's no option to save a report that I can see without getting a subscription.

If you haven't gotten that far, we'll keep pecking away with other means....your HJT appears clean, but there adware/spyware files remaining, it seems.

Sorry for the misinformation.

01-10-2006, 01:38 PM	#1 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Multiple pop-ups on multiple user system Greetings all! You guys helped me solve my "specific911" problem during the summer. This post is about my childrens' computer: A Dell Dimension 2400 WindowsXP, it has multiple users, DIALUP MODEM, getting pop-ups from the following which I recognized so far: the-best-promos.com security-updater.com static.egwn.net products-news.com maybe more that I did not see yet!!! I followed directions in the HijackThis do this first thread by MicroBell (thanks for the previous help), what I did not do: Did not get AVG yet, I know it scans good, but I thought I should try to get these things out first. If I should download it now I will. Computer came with McAfee, but for some reason, I a can not update it, getting a loop of enter info here, as if it is not registered, and I am not sure yet, working on that. (The computer is legal and its software) Getting Application Errors for: pshwr.exe EGACCESS_1068.dll after start up. Downloaded recent HijackThis, can only operate it in safe mode, maybe McAfee thinks its a virus, does not show correct icon for program in normal users, only in safe mode. If I log on a different user, it just appears as a exe box, and when I click it, McAfee is giving a message that there is a virus on the computer. I admit that I am having trouble with using McAfee and updating it. Kids play "Runescape" online, and one of them runs "Warcraft" I did some fixes with HijackThis yesterday, after that I had some trouble with the AOL settings, it is working now after investigating. A few entries in HIJACK I was afraid to fix even though they smelled real bad. OK ran Lavasoft Adaware updated and VX addon, that fixed something, ran SpybotS&D fixed alot but for two Carpie Diem Vars and another AD something I forget. Said it would run on start up again but I think it is not fixing those two. Installed latest Spywareblaster yesterday too. Tried the Panda scan but I think it was not working because this computer USES DIAL UP MODEM. Here is the latest log: Logfile of HijackThis v1.99.1 Scan saved at 2:12:55 PM, on 1/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshicop.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italozgs.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: ghbjcbjd.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe OK thanking you in advance again! Stretched

01-10-2006, 05:30 PM	#2 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Running Pandascan now I will post another log from HJT and Panda. I disabled the Windows and McAfee Firewalls and Pandascan is working now (I am on line on my other computer). I also ran McAfee in Safemode and it "Fixed" Hijackthis.exe which it said was a version of W32 worm, it fixed it without my approval! So I will have to download it again after the Panda scan is finished. I will run Hijack this in the user mode if it works this time after I instal it, I hope it will work if I can keep McAfee turned off. Otherwise I will run Hijack this in safe mode again and post the log from it and Panda.

01-10-2006, 06:32 PM	#3 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	New Htj And Panda Logs alright I could not run Hijack this in user mode, only safe mode, McAfee still thinks its a virus. Here are the logs, and I'll wait for a response before doing anything else. Incident Status Location Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\456\Cookies\456@ad.yieldmanager[2].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\456\Cookies\456@ask[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\456\Cookies\456@belnk[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\456\Cookies\456@burstnet[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\456\Cookies\456@dist.belnk[2].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\456\Cookies\456@www.burstbeacon[1].txt Adware:Adware/FCHelp Not disinfected C:\Documents and Settings\456\Local Settings\Temp\fcHelp.exe Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@2o7[1].txt Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@64.62.232[1].txt Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@abetterinternet[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@ad.yieldmanager[1].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@adopt.hbmediapro[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@ads.pointroll[2].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@ask[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@atdmt[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@ath.belnk[2].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@azjmp[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@belnk[1].txt Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@btg.btgrab[2].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@burstnet[1].txt Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@c.enhance[1].txt Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@centrport[1].txt Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@clickbank[1].txt Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@cliks[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@com[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@dist.belnk[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@doubleclick[1].txt Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@kount[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@mediaplex[1].txt Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@offeroptimizer[2].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@questionmarket[1].txt Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@rightmedia[2].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@rn11[2].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@searchportal.information[2].txt Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@spywarestormer[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@statcounter[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@tribalfusion[1].txt Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@winfixer[2].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@www.burstbeacon[2].txt Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@www48.seeq[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Faizah\Cookies\faizah@xiti[1].txt Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\Faizah\Local Settings\Temp\ExtractDLL.dll Virus:Trj/Imiserv.D Disinfected C:\Documents and Settings\Faizah\Local Settings\Temp\wupdt.exe Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Guest\Cookies\guest@2o7[1].txt Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Guest\Cookies\guest@abetterinternet[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ask[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Cookies\guest@atdmt[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ath.belnk[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@belnk[2].txt Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Guest\Cookies\guest@btg.btgrab[1].txt Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Guest\Cookies\guest@cliks[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Guest\Cookies\guest@com[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@dist.belnk[1].txt Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ilead.itrack[2].txt Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Guest\Cookies\guest@offeroptimizer[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Guest\Cookies\guest@stats1.reliablestats[1].txt Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Guest\Cookies\guest@winfixer[2].txt Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@2o7[1].txt Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@abetterinternet[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@ad.yieldmanager[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@adrevolver[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@adrevolver[3].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@advertising[2].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@ask[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@atdmt[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@ath.belnk[1].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@azjmp[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@belnk[1].txt Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@btg.btgrab[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@burstnet[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@casalemedia[2].txt Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@cliks[2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@com[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@dist.belnk[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@doubleclick[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@fastclick[2].txt Spyware:Cookie/go Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@go[1].txt Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@offeroptimizer[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@realmedia[2].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@searchportal.information[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@stats1.reliablestats[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@tribalfusion[1].txt Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@valueclick[2].txt Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@winfixer[2].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\hehehe\Cookies\hehehe@xiti[1].txt Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@2o7[2].txt Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@abetterinternet[1].txt Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@ask[1].txt Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@btg.btgrab[1].txt Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@centrport[1].txt Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@cliks[1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@com[2].txt Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@offeroptimizer[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mommy\Cookies\mommy@tribalfusion[1].txt Dialer:Dialer.DNS Not disinfected C:\Documents and Settings\Mommy\Local Settings\Temp\temp.frDA4A Virus:Trj/LowZones.AA Disinfected C:\fdj.exe Adware:Adware/EnhSrch Not disinfected C:\HJT\backups\backup-20060110-014730-776.dll Adware:Adware/ActivShopper Not disinfected C:\HJT\backups\backup-20060110-014730-824.dll Dialer:Dialer.B Not disinfected C:\HJT\backups\backup-20060110-014733-325.dll Adware:Adware/Comet Not disinfected C:\HJT\backups\backup-20060110-014733-998.dll Dialer:Dialer.FFQ Not disinfected C:\HJT\backups\backup-20060110-014734-117.dll Adware:Adware/WUpd Not disinfected C:\HJT\backups\backup-20060110-014734-344.dll Adware:Adware/Cmap Not disinfected C:\Program Files\CMAPP\Client\cmappclient.exe Virus:Trj/Downloader.HCA Disinfected C:\Program Files\CMAPP\cmappstub.exe Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\FCHelp.dll Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\FCHelp.exe Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\Uninstall.exe Adware:Adware/WinTools Not disinfected C:\Program Files\knights_shiryu1\insthlp.dat Adware:Adware/NaviPromo Not disinfected C:\Program Files\MailSkinner\OESkinner.dll Adware:Adware/ActivShopper Not disinfected C:\Program Files\TBONAS\TBONcomp.dll Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll Virus:Trj/Lowzones.KI Disinfected C:\runaplj.exe Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\AuroraHandler.dll_tobedeleted Adware:Adware/EnhSrch Not disinfected C:\WINDOWS\dinst.exe Adware:adware/enhsrch Not disinfected C:\WINDOWS\dsr.exe Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat Virus:Trj/Dropper.ME Disinfected C:\WINDOWS\mattyek.exe Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat Adware:Adware/Popper Not disinfected C:\WINDOWS\rjbherd.exe Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\SYSTEM32\f3PSSavr.scr Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV3.exe Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV4.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\kagtolwq.exe Adware:adware/navipromo Not disinfected C:\WINDOWS\SYSTEM32\kagtolwq_nav.dat Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\lanbruns.exe Virus:Trj/LowZones.AA Disinfected C:\WINDOWS\SYSTEM32\links.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\lyzfmgqu.exe Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsd253.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsd2CB.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nse256.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsg250.dll Adware:Adware/PopupSearches Not disinfected C:\WINDOWS\SYSTEM32\nshAE0.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsn28F.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsu249.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsu2A2.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsxB91.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsy2C5.dll Adware:Adware/BigTrafficNet Not disinfected C:\WINDOWS\SYSTEM32\nsz2C8.dll Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\pshwr.exe Dialer:Dialer.FGU Not disinfected C:\WINDOWS\SYSTEM32\sysnetsvc32.dll Virus:Trj/Lowzones.KI Disinfected C:\WINDOWS\SYSTEM32\vmlib.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\vuwaqtf.exe Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\wirelanb.dll Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\zbvugea.exe Logfile of HijackThis v1.99.1 Scan saved at 7:21:47 PM, on 1/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshicop.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italozgs.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: ghbjcbjd.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Looks bad man...

01-12-2006, 01:40 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	You have to disable McAfee to run HJT in normal mode. It mistakenly thinks HJT is a virus. We need a normal mode log. Since you're thinking of getting rid of McAfee, just uninstall it. A good free AV program, AVG is available. Download, install, update and run a full scan. In the meantime, do this as well, to help get you started: Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Ad-Aware® SE Personal Edition *Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware. Spybot Search & Destroy CWShredder Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\system32\pkshicop.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: TalMgr Class - {70230839-555C-4862-8D42-BB1E2352502C} - C:\WINDOWS\system32\italozgs.dll O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O20 - AppInit_DLLs: ghbjcbjd.dll Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. Delete the following Files/Folders if they exist: C:\WINDOWS\system32\ pkshicop.dll C:\WINDOWS\system32\ italozgs.dll ghbjcbjd.dll<<<Find via Start>Search Restart in normal mode. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan Run a new HijackThis scan. Save the log file and post it here. Create a uninstall list:* Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notebook onto your post Please return with logs from: Ewido Panda HJT Uninstall list __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 01-12-2006 at 01:41 PM.

01-12-2006, 08:37 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	This is something of a mess, and will take some time to clean. Since this is a multi-user system, be sure each log is from the same user, and the fix is run on only that user for now. We'll want to get logs from all users before we're done. sigh What exact error message did AVG give, please? You could try Avast! I use it, and like it. Please print out these instructions. Download Brute Force Uninstaller. Unzip it to it’s own folder (c:BFU) RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU) Start the Brute Force Uninstaller by doubleclicking BFU.exe In the scriptline to execute copy and paste c:bfuEGDACCESS.bfu Press execute and let it do it’s job. Wait for the complete script execution box to popup and press OK. Press exit to terminate the BFU program. Please download dsrfix.zip from Atribune and save it to your desktop. Double-Click on dsrfix.zip and extract it to your desktop. This will create a new folder on your desktop named dsrfix. Do Not open that folder yet. I have attached a file to this post - regdel.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry. Now reboot your system into safe mode. Now open the folder dsrfix on your desktop. Double-Click on dsrfix.bat A window will pop up briefly then close, this is normal. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found: The Best Offers kagtolwq kjecuy knights_shiryu1 lyzfmgqu MailSkinner Viewpoint Media Player WebSearch Tools Zango Toolbar zbvugea Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe Delete these files/folders if they exist: C:\Program Files\Toolbar C:\Program Files\Common Files\WinTools C:\Program Files\Best Offers C:\Program Files\Viewpoint C:\Program Files\Zango C:\WINDOWS\SYSTEM32\PSHWR.EXE C:\Program Files\MailSkinner\ C:\WINDOWS\SYSTEM32\InstallerV3.exe C:\WINDOWS\SYSTEM32\kagtolwq_nav.dat C:\WINDOWS\kwv2.dat C:\WINDOWS\pcconfig.dat C:\PROGRAM FILES\dialers c:\documents and settings\mommy\favorites\1111 C:\Documents and Settings\Mommy\Application Data\Starware C:\WINDOWS\STWSI C:\Program Files\FCHelp C:\Program Files\knights_shiryu1\insthlp.dat C:\Program Files\TBONAS\TBONcomp.dll C:\WINDOWS\SYSTEM32\InstallerV3.exe C:\WINDOWS\SYSTEM32\InstallerV4.exe C:\WINDOWS\SYSTEM32\kagtolwq.exe C:\WINDOWS\SYSTEM32\lanbruns.exe C:\WINDOWS\SYSTEM32\lyzfmgqu.exe C:\WINDOWS\SYSTEM32\pshwr.exe C:\WINDOWS\SYSTEM32\vuwaqtf.exe C:\WINDOWS\SYSTEM32\zbvugea.exe Reboot into normal mode now. Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Follow the prompts to install the ActiveX controls It will say "Loading TrendMicro definitions". Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. If it offers a way to save results, please do, and post them here. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 01-18-2006 at 08:19 PM.

01-11-2006, 05:20 PM	#4 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Just bumping up the post thanx

01-12-2006, 07:52 PM	#6 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	OK, problems I had: Removed McAfee, downloaded AVG, could not install it, during the install process it gave an error on a file, not sure what the trouble was. After running everthing you said to run in safe mode, you told me to search for some programs, computer froze on search. Had to reboot in safemode again, ran hijack this again and verified that the items previously removed by it in safemode were still not there. Then I seached for the dll files, and that other one, were not found, and I still have show hidden files checked and hide protected operating system, files unchecked. Then I started in normal and did the rest as you said. So those were the only problems. And the answer to: "How is it now" is got a couple of popups from the same as usual during all of this, and when getting on again now, after everything, so far one popup. But I just came here did not surf for encounters. All the logs below: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 7:16:11 PM, 1/12/2006 + Report-Checksum: 5C9C9D21 + Scan result: HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning HKU\.DEFAULT\Software\toolbar -> Spyware.WebSearch : Cleaned with backup HKU\S-1-5-18\Software\toolbar -> Spyware.WebSearch : Cleaned with backup C:\HJT\backups\backup-20060110-014730-776.dll -> Spyware.Hijacker.Generic : Cleaned with backup C:\HJT\backups\backup-20060110-014730-824.dll -> Spyware.ActivShopper : Cleaned with backup C:\HJT\backups\backup-20060110-014733-325.dll -> Dialer.Generic : Cleaned with backup C:\HJT\backups\backup-20060110-014733-998.dll -> Spyware.Comet : Cleaned with backup C:\HJT\backups\backup-20060110-014734-117.dll -> Dialer.Generic : Cleaned with backup C:\HJT\backups\backup-20060110-014734-344.dll -> Spyware.WinAD : Cleaned with backup C:\Program Files\CMAPP\Client\cmappclient.exe -> Spyware.CASClient : Cleaned with backup C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll -> Adware.Agent : Cleaned with backup C:\Program Files\Zango Programs\Zango Toolbar\ZangoTBUninstaller.exe -> Adware.180Solutions : Cleaned with backup C:\WINDOWS\AuroraHandler.dll_tobedeleted -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\dinst.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup C:\WINDOWS\rjbherd.exe -> Dropper.Agent.vl : Cleaned with backup C:\WINDOWS\SYSTEM32\70tovmto.ini -> Adware.SAHA : Cleaned with backup C:\WINDOWS\SYSTEM32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup C:\WINDOWS\SYSTEM32\msplock32.dll -> Adware.NaviPromo : Cleaned with backup C:\WINDOWS\SYSTEM32\nsd253.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nsd2CB.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nse256.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nsg250.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nshAE0.dll -> Adware.EZula : Cleaned with backup C:\WINDOWS\SYSTEM32\nsn28F.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nsu249.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nsu2A2.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nsxB91.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nsy2C5.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\nsz2C8.dll -> Spyware.HotSearchBar : Cleaned with backup C:\WINDOWS\SYSTEM32\sysnetsvc32.dll -> Dialer.Generic : Cleaned with backup C:\WINDOWS\SYSTEM32\wirelanb.dll -> Spyware.SafeSurfing : Cleaned with backup ::Report End ACTIVESCAN Incident Status Location Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\PSHWR.EXE Adware:Adware/NaviPromo Not disinfected C:\Program Files\MailSkinner\OESkinner.dll Adware:adware/bigtrafficnet Not disinfected c:\documents and settings\mommy\favorites\1111\1111.url Spyware:spyware/safesurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV3.exe Adware:adware/navipromo Not disinfected C:\WINDOWS\SYSTEM32\kagtolwq_nav.dat Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat Dialer:dialer generic Not disinfected C:\PROGRAM FILES\dialers Adware:adware/pacimedia Not disinfected c:\documents and settings\mommy\favorites\1111 Adware:adware/comet Not disinfected C:\Documents and Settings\Mommy\Application Data\Starware Adware:adware/dyfuca Not disinfected C:\WINDOWS\STWSI Adware:adware/wupd Not disinfected Windows Registry Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ZANGO TOOLBAR Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\SOFTWARE\TOOLBAR Adware:adware/activshopper Not disinfected Windows Registry Potentially unwanted tool:application/funweb Not disinfected HKEY_CLASSES_ROOT\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D} Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179} Dialer:dialer.b Not disinfected HKEY_CLASSES_ROOT\CLSID\{C6760A07-A574-4705-B113-7856315922C3} Adware:adware/transponder Not disinfected Windows Registry Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\FCHelp.dll Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\FCHelp.exe Adware:Adware/FCHelp Not disinfected C:\Program Files\FCHelp\Uninstall.exe Adware:Adware/WinTools Not disinfected C:\Program Files\knights_shiryu1\insthlp.dat Adware:Adware/NaviPromo Not disinfected C:\Program Files\MailSkinner\OESkinner.dll Adware:Adware/ActivShopper Not disinfected C:\Program Files\TBONAS\TBONcomp.dll Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV3.exe Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\InstallerV4.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\kagtolwq.exe Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\lanbruns.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\lyzfmgqu.exe Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\SYSTEM32\pshwr.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\vuwaqtf.exe Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\zbvugea.exe Logfile of HijackThis v1.99.1Scan saved at 8:26:33 PM, on 1/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\program files\mailskinner\mailskinner.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe UNINSTALL LIST Ad-Aware SE Personal Adobe Acrobat - Reader 6.0.2 Update Adobe Reader 6.0.1 America Online (Choose which version to remove) AOL Coach Version 1.0(Build:20030807.3) Banctec Service Agreement BloodRayne Screen Saver Screen Saver Broadcom Management Programs CleanUp! Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Media Experience Dell Support 5.0.0 (734) EarthLink Setup Files ewido anti-malware FileZilla (remove only) FlatOut Demo GameSpy 3D GameSpy Arcade Get High Speed Internet! Google Toolbar for Internet Explorer HijackThis 1.99.1 Intel(R) 537EP V9x DF PCI Modem Intel(R) Extreme Graphics Driver Internet Explorer Default Page IrfanView (remove only) ItalMgr Jasc Paint Shop Photo Album Jasc Paint Shop Pro 8 Dell Edition Java 2 Runtime Environment, SE v1.4.2_03 JumpStart 1st Grade 2000 JumpStart 3rd Grade v1.0 JumpStart 3rd Grade v1.2 JumpStart 4th Grade v1.3 Jumpstart 5th Grade v1.2 JumpStart Kindergarten 98 v2.5 JumpStart Parent Resource Center JumpStart Typing v1.1 kagtolwq kjecuy knights_shiryu1 LANBridge Lavasoft VX2 Cleaner Learn2 Player (Uninstall Only) Lernout & Hauspie TruVoice for Microsoft Agent lyzfmgqu Macromedia Flash Player 8 MailSkinner Math Blaster Ages 9-12 MCR_screensaver Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft Money 2004 Microsoft Money 2004 System Pack Microsoft Office 2000 Premium Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE mm_saver ScreenSaver Modem Event Monitor Modem Helper Modem On Hold MSN Musicmatch for Windows Media Player Musicmatch® Jukebox Napster Napster Burn Engine Net Checkers 5 NetZero NetZeroInstallers Panda ActiveScan PShow QuickTime QuickTime 3.0 Screensavers Installer Search Assistant Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB912919) SpellForce Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 Sysnet The Best Offers The Spider-Man 2 Demo TicTacToe TotalAccess Smart Installer Traitors Gate Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB910437) Viewpoint Media Player WebSearch Tools Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows Media Player 10 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 WinZip WordPerfect Office 12 Zango Toolbar zbvugea end of the unistall list. I did run cleanup also it removed like, over a thousand files. I had run the windows disk clean recently... Alright really appreciate your help again, thank you for taking the time. (still) Stretched

01-13-2006, 01:57 PM	#8 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	I have been doing everything you said, but right now I am having the "darndest" time with the trend micro site. At first, for some reason I noticed the widows firewall was on again, so I shut it off, but still after an hour there is nothing more than the page that comes up after clicking the bar on the top to ok the active x. I will try to reboot, turn off the windows firewall if its on, and go on line and go to the link again, etc.... If Ican not get it to work I will go to the second scan link you listed.....

01-13-2006, 02:21 PM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Please leave your firewall on! If you cannot perform that scan, it is likely due to an ActiveX install setting in IE, NOT a firewall setting. I've noticed on my systems that it can take a long time to actually load the controls and begin the scan sometimes. If it gives you that much trouble, ignore it for now, and move on to the Kaspersky scan. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-13-2006, 04:38 PM	#10 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Ok Mr. Bob. Let me start with the bonehead manouver: I did what I said I was going to do, (!!!#@?) and when I saw your last message about 99% through the Kapersky scan I turned the firewall back on....(DA) Now, you had asked about what message I was getting when installing AVG (I will get Avast too) here we go and it came while copying the files: Local Machine: Installation failed Installation: Error: Action failed for registry key HKLM\software\mircosoft\windows\currentversion\run\creating registry key.... Access is denied (5) Alright, I had to hand write that and type it here, so it was "like" that. I followed all of the directions with the exception of the bonehead manouver I mentioned above, and was not able to get Trend to work. Many of the items were present that you told me to look for. Regarding the command to look for and delete THE BEST OFFERS\ when selecting delete it opened an IE window whose address was c:\windows\boncpar.htm and on the "page" it included: "If you want to uninstall ...it can be removed by going to www.bestoffersnetworks.com/uninstall to get uninstall tool" Now, I may be a bonehead, but...so I just ignored that and uttered some choice words. When removing Zango from the Uninstall feature it gave a message that an error occured and it could be that it has already been unistalled do you want to remove it from the unistall list. I ignored that too, and said cancel. In the HJT fix these were the only three that were found: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe Regarding the files to delete: C:\Program Files\Zango C:\WINDOWS\SYSTEM32\PSHWR.EXE C:\Program Files\MailSkinner\ C:\WINDOWS\SYSTEM32\InstallerV3.exe I also deleted Installerv4 andInstallerv5 C:\WINDOWS\kwv2.dat c:\documents and settings\mommy\favorites\1111 C:\WINDOWS\STWSI C:\Program Files\FCHelp C:\Program Files\knights_shiryu1\insthlp.dat C:\Program Files\TBONAS\TBONcomp.dll C:\WINDOWS\SYSTEM32\InstallerV3.exe C:\WINDOWS\SYSTEM32\InstallerV4.exe C:\WINDOWS\SYSTEM32\kagtolwq.exe C:\WINDOWS\SYSTEM32\zbvugea.exe also saw three dat files for the last one, did not delete them though (maybe another bonehead manouver) I saw this: C:\WINDOWS\SYSTEM32\kill all spyware and it smells funny but I left it... you said to look for lanbruns.exe did not see it but I saw lanbrup.exe and left it I also discovered "virushunter4.exe" smelled funny too but I left it this one too left it but: zseyqgxmad.exe also with three dat files too. Alright I think I wrote down everything I found and removed, but it could be that I removed one you ordered while not writting it. Kapersky scan log to follow (post too long)

01-13-2006, 06:44 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Somehow in all that, I failed to ask for a new HJT log. Please follow these instructions, and at the end, post a new HJT log, and a new Uninstall List. Those questionable files you found are junk, and can be deleted, as can the Kaspersky finds. Do it in safe mode, as part of this fix. You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Be sure to protect this system against the WMF exploit. No sense in trying to clean if this patch is not applied. See the link in my signature. See this page for instructions on how to clear java's cache. CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK Please download AproposFix from here: http://swandog46.geekstogo.com/aproposfix.exe Save it to your desktop but do NOT run it yet. Then please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. Delete these files/folders C:\Program Files\CMAPP C:\WINDOWS\SYSTEM32\bwklcfan.exe C:\WINDOWS\SYSTEM32\lanbruns.exe C:\WINDOWS\SYSTEM32\vuwaqtf.exe Next, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-13-2006, 08:46 PM	#13 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	I downloaded and installed the patch (thanx) Did the clear and reset system restore cache...and the rest, however, when I tried to remove the hits in the Kapersky scan log - in safe mode after the other fixes you said, these would not delete: C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc12\TBONcomp.dll Infected: not-a-virus:AdWare.Win32.ActivShopper.c C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc13.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc2.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.s C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc5.exe/data0001 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc5.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.o C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc6.exe/data0006 Infected: Backdoor.Win32.HacDef.bo C:\RECYCLER\S-1-5-21-2034715575-3859179852-3284876818-1006\Dc6.exe Infected: Backdoor.Win32.HacDef.bo I clicked select all delete and it acted like it was tossing them, then beep and a message can not delete (one of them) access denied may be in use by another user or program..... Now, should I be trying to delete those files in \Recycler\ or the entire \RECYCLER\ file? That is not clear, but in any case could not delete the files. Here are the logs: (thanx) Logfile of HijackThis v1.99.1 Scan saved at 9:33:49 PM, on 1/13/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [zseyqgxmad] c:\windows\system32\zseyqgxmad.exe zseyqgxmad O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe ************************** Log of AproposFix v1 ******** Running from directory: C:\Documents and Settings\Mommy\Desktop\aproposfix ******** Registry entries found: ********** No service found! Removing hidden folder: No folder found! Deleting files: Backing up files: Done! Removing registry entries: REGEDIT4 Done! Finished!

01-13-2006, 09:20 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	That's looking much better....you need to get an AV on that system, as you're currently unprotected. Here's a link to Avast! Empty your Recycle bin to rid yourself of those Kasperky entries. Run CleanUp again. Download Brute Force Uninstaller. Unzip it to it’s own folder (c:BFU) RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU) Start the Brute Force Uninstaller by doubleclicking BFU.exe In the scriptline to execute copy and paste c:bfuEGDACCESS.bfu Press execute and let it do it’s job. Wait for the complete script execution box to popup and press OK. Press exit to terminate the BFU program. Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: O4 - HKCU\..\Run: [zseyqgxmad] c:\windows\system32\zseyqgxmad.exe zseyqgxmad Delete this file if present: c:\windows\system32\zseyqgxmad.exe If it resists deletion, boot to safe mode and delete it from there. Post a new hijackthis log from normal mode when finished. Post a new Uninstall List, using the previous instructions. Run Kaspersky again, save the results, and post them here. So, I need logs from: HJT Uninstall List Kaspersky online Scan __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-14-2006, 10:41 AM	#15 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	I got avast and used it. And I did the other things. zseyqgxmad.exe was in the HJT so I checked to fix. When manually looking, after making sure that show hidden files, etc. was still in effect, I could not see zseyqgxmad.exe, I also used the start/seach method and made sure to select search hidden, etc. Here are the logs, and those last two are still on the uninstall list, and getting the same message that they may have been removed, do you want to remove them from the uninstall list, and still I did not, so if I should please let me know. I see Zango now when looking at the list, I did not click on that one... Logfile of HijackThis v1.99.1 Scan saved at 11:22:48 AM, on 1/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe UNINSTALL LIST Ad-Aware SE Personal Adobe Acrobat - Reader 6.0.2 Update Adobe Reader 6.0.1 America Online (Choose which version to remove) AOL Coach Version 1.0(Build:20030807.3) avast! Antivirus Banctec Service Agreement BloodRayne Screen Saver Screen Saver Broadcom Management Programs CleanUp! Dell Digital Jukebox Driver Dell Driver Reset Tool Dell Media Experience Dell Support 5.0.0 (734) EarthLink Setup Files ewido anti-malware FileZilla (remove only) FlatOut Demo GameSpy 3D GameSpy Arcade Get High Speed Internet! Google Toolbar for Internet Explorer HijackThis 1.99.1 Intel(R) 537EP V9x DF PCI Modem Intel(R) Extreme Graphics Driver Internet Explorer Default Page IrfanView (remove only) ItalMgr Jasc Paint Shop Photo Album Jasc Paint Shop Pro 8 Dell Edition Java 2 Runtime Environment, SE v1.4.2_03 JumpStart 1st Grade 2000 JumpStart 3rd Grade v1.0 JumpStart 3rd Grade v1.2 JumpStart 4th Grade v1.3 Jumpstart 5th Grade v1.2 JumpStart Kindergarten 98 v2.5 JumpStart Parent Resource Center JumpStart Typing v1.1 Kaspersky On-line Scanner LANBridge Lavasoft VX2 Cleaner Learn2 Player (Uninstall Only) Lernout & Hauspie TruVoice for Microsoft Agent Macromedia Flash Player 8 Math Blaster Ages 9-12 MCR_screensaver Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft Money 2004 Microsoft Money 2004 System Pack Microsoft Office 2000 Premium Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE mm_saver ScreenSaver Modem Event Monitor Modem Helper Modem On Hold MSN Musicmatch for Windows Media Player Musicmatch® Jukebox Napster Napster Burn Engine Net Checkers 5 NetZero NetZeroInstallers Panda ActiveScan PShow QuickTime QuickTime 3.0 Screensavers Installer Search Assistant Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB912919) SpellForce Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 Sysnet The Best Offers The Spider-Man 2 Demo TicTacToe TotalAccess Smart Installer Traitors Gate Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB910437) Viewpoint Media Player Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows Media Player 10 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 WinZip WordPerfect Office 12 Zango Toolbar zbvugea zseyqgxmad END Going to Kapersky now....will post log after

01-14-2006, 11:50 AM	#16 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	Note: No pop ups yet today. Here is the Kapersky scan log: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Saturday, January 14, 2006 12:47:36 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 14/01/2006 Kaspersky Anti-Virus database records: 171797 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 79286 Number of viruses found: 11 Number of infected objects: 19 Number of suspicious objects: 0 Duration of the scan process: 3550 sec Infected Object Name - Virus Name C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422654.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422655.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.d C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422657.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.i C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422657.exe Infected: Trojan-Downloader.NSIS.Agent.i C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422660.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.s C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422661.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.c C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422662.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.m C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422664.exe/data0001 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422664.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.o C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422665.exe/data0006 Infected: Backdoor.Win32.HacDef.bo C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422665.exe Infected: Backdoor.Win32.HacDef.bo C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422671.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422671.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422671.exe Infected: not-a-virus:AdWare.Win32.CASClient.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP395\A0422674.dll Infected: not-a-virus:AdWare.Win32.ActivShopper.c C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Adload.a C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe/stream Infected: Trojan-Downloader.Win32.Adload.a C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe Infected: Trojan-Downloader.Win32.Adload.a C:\WINDOWS\SYSTEM32\msclock32.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.m Scan process completed.

01-14-2006, 02:51 PM	#17 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Grrr.....this is what Trend's AntiSpyware was good for...cleaning all these extras. You still can't run it? This will take a bit more time, but we're getting there. Please download WebRoot SpySweeper from HERE (It's a 2 week trial): Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program. Double-click the file to install it as follows: Click "Next", read the agreement, Click "Next" Choose "Custom" click "Next". Leave the default installation directory as it is, then click "Next". UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next". On the following screen you can leave the e-mail address field blank, if you wish. Click "Next". Finally, click "Install" Once the program is installed, it will open. It will prompt you to update to the latest definitions, click Yes. Once the definitions are installed, click Options on the left side. Click the Sweep Options tab. Under What to Sweep please put a check next to the following: Sweep Memory Sweep Registry Sweep Cookies Sweep All User Accounts Enable Direct Disk Sweeping Sweep Contents of Compressed Files Sweep for Rootkits Please UNCHECK Do not Sweep System Restore Folder. Click Sweep Now on the left side. Click the Start button. When it's done scanning, click the Next button. Make sure everything has a check next to it, then click the Next button. It will remove all of the items found. Click Session Log in the upper right corner, copy everything in that window. Click the Summary tab and click Finish. Paste the contents of the session log you copied into your next reply. Run a scan with HJT. Fix this entry if present: O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess Boot to safe mode. Try to Uninstall these programs from Add/Remove if present...if you get the same message that they may have been removed, do you want to remove them from the uninstall list, then tell it Yes. The Best Offers Zango Toolbar zbvugea zseyqgxmad If any resist, or remain, do this with them: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Highlight the desired entries if present, then click "Delete" When it asks if you are sure, click "Yes" Go to Start>Run then copy and paste, or type the following, then press Enter: regsvr32 /u occache.dll Delete these files if present: C:\WINDOWS\Downloaded Program Files\installer_MARKETING48x.exe C:\WINDOWS\SYSTEM32\msclock32.dll Go to Start>Run then copy and paste, or type the following, then press Enter: regsvr32 occache.dll Boot to normal mode. CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan Run a new scan with HJT. Save the log, and post it here. Please return with logs from: SpySweeper HJT Panda online scan __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-14-2006, 03:27 PM	#18 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	maybe after I adjusted settings trendmicro is working, it is acting different, I also followed the housecall link this time. I will do that first if it works and post back if there is a log I will post that too....

01-14-2006, 05:10 PM	#19 (permalink)
stretched Registered User Join Date: Aug 2005 Posts: 115 OS: Windows XP	ok, finally done that. I do not know what is supposed to happen with Trend micro is done the scan but the results came up and this is all that it said: Detected vulnerabilities +MS00-34 An error ocurred while trying to retieve more information about this vulnerability... +MS01-028 An error ocurred while trying to retieve more information about this vulnerability... That is all I got from it. So I did another HJT in case you would want that to see what happened: Logfile of HijackThis v1.99.1 Scan saved at 605 PM, on 1/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\PROGRA~1\AMERIC~1.0\waol.exe C:\PROGRA~1\AMERIC~1.0\shellmon.exe C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1068.dll,InstantAccess O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Now I will begin working on the other things, and my cable connected comupter is on the forum so if you post to tell me to do something else or not I can see that...

01-14-2006, 06:20 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,443 OS: 2000 Pro; XP Pro; XP Home	Hey, stretched - I just realized my info about SpySweeper is out of date. There is no longer a free trial that cleans, it will only scan and then ask you to subscribe. If you've gotten that far already, see if you can bring back what it finds....you'll have to do it manually, I think. I just downloaded and ran it, and there's no option to save a report that I can see without getting a subscription. If you haven't gotten that far, we'll keep pecking away with other means....your HJT appears clean, but there adware/spyware files remaining, it seems. Sorry for the misinformation. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009