popups, worms, and system problems ...pls help !!!

babbs · 04-14-2006, 05:48 AM

I tried all the scans before posting, I cant seem to stop the popups, and my system likes to shut down if I dont shut the popups quick enough. So I am posting my HJT log.. pls help !!!

Logfile of HijackThis v1.99.1
Scan saved at 8:44:32 AM, on 4/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Brendas%20blank.HTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\blank1.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\blank1.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
F3 - REG:win.ini: load=?????? ?????
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\utilities\movie factory\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [w008ec8b.dll] RUNDLL32.EXE w008ec8b.dll,I2 000284cc0008ec8b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [Voswxaa] C:\WINDOWS\system32\s?stem32\regedit.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\dn8801lue.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

**Glaswegian** · 04-14-2006, 07:36 AM

Hi babbs and welcome to TSF.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

You have a few things so let’s try and get rid of the pop ups first.

Please Download Look2Me-Destroyer and save the file to your desktop.

* Print out these instructions and close ALL windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to "Run this program as a task".
* You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Click OK.
* When Look2Me-Destroyer re-opens, click the "Scan for L2M button", your desktop icons will disappear, this is normal.
* Once it's done scanning, click the "Remove L2M button".
* You will receive a "Done Scanning message", click OK.
* When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt at the end of this fix.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX and place it in your C:\Windows\System32 Directory.

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.
When it finishes running, click the Save button for a copy of the log
Post the log created by the script when you have completed the fix

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

Rescan with HijackThis and post a fresh log.

babbs · 04-14-2006, 10:51 AM

here are the contents of my scans

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/14/2006 1:05:12 PM

Infected! C:\WINDOWS\system32\k408ledu1h08.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161613.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161623.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161659.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161661.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0162664.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165668.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165685.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165689.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0166688.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167688.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167718.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167726.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167736.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167737.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167748.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP516\A0168382.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP517\A0168547.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0168758.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0169548.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170545.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170555.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170570.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170576.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171576.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171586.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171590.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171593.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171596.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171597.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171635.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171674.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171684.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171758.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171763.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171778.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171781.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171791.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171810.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171816.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171819.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171820.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171824.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171826.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171830.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171895.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171899.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171901.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171905.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0172904.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173904.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173916.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173925.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0174925.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175916.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175921.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175922.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176014.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176015.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177014.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177051.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177059.dll
Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177060.dll
Infected! C:\WINDOWS\system32\dn4s01h7e.dll
Infected! C:\WINDOWS\system32\dnl0013me.dll
Infected! C:\WINDOWS\system32\dRdxof.dll
Infected! C:\WINDOWS\system32\en2ql1f51.dll
Infected! C:\WINDOWS\system32\fpjs0317e.dll
Infected! C:\WINDOWS\system32\g240lchm1f4a.dll
Infected! C:\WINDOWS\system32\h82o0if3e82.dll
Infected! C:\WINDOWS\system32\hazsnt12.dll
Infected! C:\WINDOWS\system32\hr0u05d9e.dll
Infected! C:\WINDOWS\system32\hr8605lse.dll
Infected! C:\WINDOWS\system32\hr8s05l7e.dll
Infected! C:\WINDOWS\system32\irjml5111.dll
Infected! C:\WINDOWS\system32\jt4207hoe.dll
Infected! C:\WINDOWS\system32\jt6607jse.dll
Infected! C:\WINDOWS\system32\k408ledu1h08.dll
Infected! C:\WINDOWS\system32\k8lq0i35e8.dll
Infected! C:\WINDOWS\system32\ktdus.dll
Infected! C:\WINDOWS\system32\ktjml7111.dll
Infected! C:\WINDOWS\system32\lv6o09j3e.dll
Infected! C:\WINDOWS\system32\mHg_hook.dll
Infected! C:\WINDOWS\system32\mjdtcprx.dll
Infected! C:\WINDOWS\system32\o884lilq18qe.dll
Infected! C:\WINDOWS\system32\s288lclu1fq8.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\k408ledu1h08.dll
C:\WINDOWS\system32\k408ledu1h08.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161613.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161613.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161623.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161623.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161659.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161659.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161661.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161661.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0162664.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0162664.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165668.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165668.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165685.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165685.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165689.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165689.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0166688.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0166688.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167688.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167688.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167718.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167718.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167726.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167726.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167736.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167736.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167737.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167737.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167748.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167748.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP516\A0168382.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP516\A0168382.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP517\A0168547.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP517\A0168547.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0168758.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0168758.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0169548.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0169548.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170545.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170545.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170555.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170555.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170570.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170570.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170576.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170576.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171576.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171576.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171586.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171586.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171590.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171590.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171593.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171593.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171596.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171596.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171597.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171597.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171635.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171635.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171674.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171674.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171684.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171684.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171758.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171758.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171763.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171763.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171778.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171778.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171781.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171781.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171791.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171791.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171810.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171810.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171816.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171816.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171819.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171819.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171820.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171820.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171824.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171824.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171826.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171826.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171830.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171830.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171895.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171895.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171899.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171899.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171901.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171901.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171905.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171905.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0172904.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0172904.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173904.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173904.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173916.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173916.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173925.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173925.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0174925.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0174925.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175916.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175916.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175921.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175921.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175922.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175922.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176014.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176014.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176015.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176015.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177014.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177014.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177051.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177051.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177059.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177059.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177060.dll
C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177060.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dn4s01h7e.dll
C:\WINDOWS\system32\dn4s01h7e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnl0013me.dll
C:\WINDOWS\system32\dnl0013me.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dRdxof.dll
C:\WINDOWS\system32\dRdxof.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en2ql1f51.dll
C:\WINDOWS\system32\en2ql1f51.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fpjs0317e.dll
C:\WINDOWS\system32\fpjs0317e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\g240lchm1f4a.dll
C:\WINDOWS\system32\g240lchm1f4a.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h82o0if3e82.dll
C:\WINDOWS\system32\h82o0if3e82.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hazsnt12.dll
C:\WINDOWS\system32\hazsnt12.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr0u05d9e.dll
C:\WINDOWS\system32\hr0u05d9e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr8605lse.dll
C:\WINDOWS\system32\hr8605lse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr8s05l7e.dll
C:\WINDOWS\system32\hr8s05l7e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\irjml5111.dll
C:\WINDOWS\system32\irjml5111.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jt4207hoe.dll
C:\WINDOWS\system32\jt4207hoe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jt6607jse.dll
C:\WINDOWS\system32\jt6607jse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k408ledu1h08.dll
C:\WINDOWS\system32\k408ledu1h08.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k8lq0i35e8.dll
C:\WINDOWS\system32\k8lq0i35e8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktdus.dll
C:\WINDOWS\system32\ktdus.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktjml7111.dll
C:\WINDOWS\system32\ktjml7111.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lv6o09j3e.dll
C:\WINDOWS\system32\lv6o09j3e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mHg_hook.dll
C:\WINDOWS\system32\mHg_hook.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mjdtcprx.dll
C:\WINDOWS\system32\mjdtcprx.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o884lilq18qe.dll
C:\WINDOWS\system32\o884lilq18qe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s288lclu1fq8.dll
C:\WINDOWS\system32\s288lclu1fq8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1D144333-A75A-4CAB-B419-E2D56C762B9F}"
HKCR\Clsid\{1D144333-A75A-4CAB-B419-E2D56C762B9F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{936F9E4C-637D-4EAC-9816-4ACA5F7A4F7A}"
HKCR\Clsid\{936F9E4C-637D-4EAC-9816-4ACA5F7A4F7A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{089F0804-9A4C-4432-803C-9294CF313D4C}"
HKCR\Clsid\{089F0804-9A4C-4432-803C-9294CF313D4C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{134E99F5-D0C8-41F0-8D53-9D808B19BB5F}"
HKCR\Clsid\{134E99F5-D0C8-41F0-8D53-9D808B19BB5F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B7E554BE-D491-4EC8-B375-9D4C340AD0E0}"
HKCR\Clsid\{B7E554BE-D491-4EC8-B375-9D4C340AD0E0}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

======================================================

BFU v1.00.9
Windows XP SP1 (WinNT 5.01.2600 SP1)
Script started at 1:41:38 PM, on 4/14/2006

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Perflib_Perfdata_11c.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Perflib_Perfdata_d3c.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF5343.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF5428.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF8FE9.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

===========================================

Logfile of HijackThis v1.99.1
Scan saved at 1:47:26 PM, on 4/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\WINDOWS\system32\s?stem32\regedit.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Brendas%20blank.HTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\blank1.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
F3 - REG:win.ini: load=?????? ?????
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\utilities\movie factory\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [w008ec8b.dll] RUNDLL32.EXE w008ec8b.dll,I2 000284cc0008ec8b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [Voswxaa] C:\WINDOWS\system32\s?stem32\regedit.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

thanks for the help .. so far didnt get that many pop ups

**Glaswegian** · 04-14-2006, 12:43 PM

Well done so far – a bit more work now though.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.

Download Ewido Anti-Malware

Install Ewido Anti-Malware
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.

Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. DO NOT run it yet!

Download Track qoo (TQ.zip)
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program and reboot when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

Uninstall Programmes
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):

Navisearch

HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Brendas%20blank.HTM
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\blank1.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
F3 - REG:win.ini: load=?????? ?????
O4 - HKLM\..\Run: [w008ec8b.dll] RUNDLL32.EXE w008ec8b.dll,I2 000284cc0008ec8b
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [Voswxaa] C:\WINDOWS\system32\s?stem32\regedit.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\NaviSearch
C:\WINDOWS\system32\s?stem32 <- - Look for this folder in your existing system32 folder
w008ec8b.dll <- - Go to Start > Search to find this file

Run WinPFind
Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post.

Run Ewido
Run Ewido with it's updated definitions (...it's important that all windows must be closed)

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with Ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If Ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save Report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

NOTE: Ewido scan will require at least an hour.

Reboot
Reboot your system in Normal Mode.

Run TrackQoo
Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this entire script to run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind.

Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Logs required
Ewido Log
Panda Log
WinPFind.txt
TrackQoo file
HijackThis Log

Please also advise how your system is performing now.

babbs · 04-15-2006, 05:53 AM

Ive been trying to go through the process that you gave me, but when i get to WinPFind, i keep getting a windows alert stating:

Windows- Virtual Memory Minimum too low: your systems is low on virtual memory, windows is increasing the size of your virtual memory paging file. Some applications may be denied...

that being said, I let winpfind just keep running since yesterday but it wont finish, it ran for about 8 hours straight and it still wont finish .. any other suggestions?

**Glaswegian** · 04-15-2006, 06:35 AM

Hi babbs

Are you running it from Safe Mode - with no other applications open? Did you follow the instructions in the exact order I listed them? CleanUp! should have cleared out your temp files etc and regained some hard disc space. In safe mode there will only be minimal drivers etc running so you should be OK on memory. It might be worth trying the download again, in case the first one was corrupt in some way. Please try again and let me know what happens.

babbs · 04-15-2006, 07:51 AM

I was in safe mode with nothing else running and i did follow directions in exact order. I did try and redownload winpfind and run it again , but still getting the same alert about the virtual memory, so i tried to go back to the beginning of the instructions and ran cleanup again it keeps deleting a few files so what i did was restart and it still picks up files to delete. Im not sure if this has anyhthing to do with it but there are 2 files it says its deleting but it doesnt seem to delete because ever time i reboot or shut my pc down these 2 files say they have to be shut down C:\WINDOWS\Prefetch\MSJIDQ.EXE-213F3563.pf - deleted
C:\WINDOWS\Prefetch\WEBVCDEX.EXE-2D54BE5C.pf - deleted

here is a log of my clean up : but if I wasnt going on the internet should i have been getting temp internet files?

C:\Documents and Settings\Brenda G\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
'Typed URLs' (Internet Explorer) - removed from the registry.
C:\Documents and Settings\Brenda G\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Perflib_Perfdata_e58.dat currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF8D94.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF9FD5.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Perflib_Perfdata_e58.dat currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF8D94.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF9FD5.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService.NT AUTHORITY.000\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Local Settings\Temp\Perflib_Perfdata_e58.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Local Settings\Temp\~DF8D94.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Local Settings\Temp\~DF9FD5.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Brenda G\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Prefetch\CLI.EXE-20D5A08B.pf - deleted
C:\WINDOWS\Prefetch\MSJIDQ.EXE-213F3563.pf - deleted
C:\WINDOWS\Prefetch\WEBVCDEX.EXE-2D54BE5C.pf - deleted
'Run MRU' list - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.0 recovered 79.9 KB of disk space from 3 files.
CleanUp! finished on 04/15/06 10:40:16.

**Glaswegian** · 04-15-2006, 08:17 AM

Many of those files are created and then deleted by Windows. so don't worry.

Ignore WinPFind just now and proceed with the rest of the fix.

babbs · 04-15-2006, 03:50 PM

I tried to skip to ewido scan and have so many infected files that it runs for about an hour and a half to two hours. And comes up with the same windows alert about virtual memory. And again running in safe mode with nothing else running. Any new suggestions? There's like 13000 infected files. Can I just check "preform action with all infections" to remove all infected files?

**Glaswegian** · 04-16-2006, 03:12 AM

Yes remove the infected files. If the log Ewido produces is too long to post, copy and paste it into a Notepad file and attach the file to your next post. There is a button 'Manage Attachments' beneath the 'Post Reply' box. Let me know if you need any help with that.

babbs · 04-18-2006, 05:27 AM

Im still having problems with ewido, i check the box to remove all, but when it finished finding 13166 infected objects , it came up with yes/no box because all the infected files were embedded so I have my enter button taped down because after about 1 1/2 hours it came up with virtual memory problem again but it cleaned 6737 objects so far. Should I just keep it how it is with the tape on the enter key and wait for the files to finish?
thanks again, i know im being a pain but I dont know what else to do

**Glaswegian** · 04-18-2006, 01:13 PM

Hi again

As you can see Ewido is very efficient. And you are not being a pain - better to ask a question - always. No matter what we do, those files will need cleaned in some way, so I'm afraid you need to keep going. You are doing a great job - don't give up now! Once Ewido has finished, the online scan will be quicker.

Remember to save the Ewido logs, even if it's bit by bit.

Post back if you need any more help.

babbs · 05-01-2006, 06:42 PM

ran into another problem....

I finally got ewido to scan the one directory that had the 13000+ infected objects and i got the log for that part, but i didnt get to finish a complete scan. I tried to reboot so it would speed up my pc but when i rebooted in safe mode again and tried to run ewido it first came up with the protection expired so i hit OK .. and i got 2 more filed deleted, but it wouldnt save that log it just hung up on me. So i tried to reboot and ewido just hangs. Should I just try and shut my pc down overnight and see what happens? or should i just try and proceeds with the rest of the instructions that you gave me ?

thanks again

**Glaswegian** · 05-02-2006, 05:42 AM

Hi babbs

Time to move on - go with the rest of the fix and post any logs you have. That will give us somewhere to start and we can perhaps try Ewido again later.

babbs · 05-04-2006, 02:56 AM

i have most of the logs ...

ewido log dated 4/15

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:14:56 PM, 4/15/2006
+ Report-Checksum: 140755FA

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{073C7FC6-8137-7BA8-FC4D-8518F53DD1BA} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{09042C0B-ADA3-569D-410C-F824C588F805} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0B1EE411-AA39-3697-5178-CE2DA69880D8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0DC9678A-0260-8CEB-0563-594D9FB02903} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{12F72849-7A03-E428-0E12-0915087880FF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1DCBFC66-4990-8A75-0B4D-74D7B850CC29} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{29CAABAC-A010-A9C2-B119-3F6044E0AF6D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{322FB8F1-4225-C16E-7E8B-C92AF7A198BD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{36E15370-5FD0-D1EC-3368-C6A73C8F506F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{39652FC9-57E8-9F1F-F728-8F55D9E5F49F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{45735144-763F-14AF-585D-A8C411A2567D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4BBEC0FD-DA38-B544-F1BF-7C2CC424B596} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{52BF7431-38AF-F288-81A9-E5DD23CF1ECF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{538D316B-A3A2-1200-EE47-1BEF8BCDD755} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{57C0C13E-E95C-411D-BCD9-A537E6B2AA24} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5E880ABF-397E-7169-9342-D26277AB758A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6824A711-0D9B-543C-AEA6-1F3DD4847F3E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6982F8EB-30D8-8961-789D-1F285B499CAE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6A3BB01D-5411-3AF3-1EF2-EC21C6B41EAD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6C3402C2-3A3A-A516-2790-602FF5091C3B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6F61BA9A-5EA1-7903-5454-DCA081431490} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{70A958A9-264F-9AC5-C44F-6C683E36E06F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{75F61DED-E153-F229-9AB9-8E94124F8BCC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7FDF80D6-8DD1-87AC-455C-99F26D3210FB} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{80E8CD34-35DC-961E-EADE-11A17381D170} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{825929FA-938D-0933-A4AB-393513D1CAF5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8D4FBE2D-404E-877D-0359-34F79402CC75} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{90BABD6B-DA3D-2814-4B15-345BCAAC2F67} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{90BB89A8-5B4A-68E8-7401-A7595938B8F3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9819E734-ABC7-8536-E943-A461C8EBAC8C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9D392CE1-0E98-05C3-BB34-7FC5B9D8D07E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9DDAA18F-013F-A1BB-68F3-A676F7B91F7A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A2E2EDE4-E2D3-F3DF-1F23-8C3BEE10E0AA} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A4881825-4CC9-B4CE-6290-C430E5E901F8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A9B63F00-46F6-794A-3935-C204BC7E0785} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B1318C42-3375-85F2-0B8B-DD594A7686D3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BEC227BD-6A8F-E5C9-B843-3F5517456552} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BFB065A2-4F3C-61BB-4A5B-FA6D452D3EAC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CB61DEDF-E312-A962-E41A-8D231515AAF0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CDEF49C0-C459-D011-A77F-C683BBFBF72B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D1B77085-930D-7845-2B1E-10B33DE519D9} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D2ABAA1C-3D1A-AA15-B41E-6D61C89C2341} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D4B62290-D1BC-E419-EF26-71766EF1A30E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D6F7942A-2903-FD22-A0E5-7716B284A428} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DAD64CB5-6A52-35C2-38BD-73771485436C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E0AB80CE-D9B6-AA3C-04B0-CAB826F2291F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E68315F1-B546-67BA-D301-A1A15F225655} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EAB86C94-75BA-4E15-5B61-F49CC5FF8606} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EDCEAC15-AF3E-C5F1-8804-D0FCA512F9C1} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F1A4571F-46C9-C368-C70C-9911C42A8A18} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F97F2532-4324-0DA9-21C3-64C1650A6515} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB2B91F2-20FB-CDCE-D34A-E50E5910E44F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FE91C2E0-AC39-4A6A-04FE-D8C6B10B23F3} -> Adware.CoolWebSearch : Cleaned with backup

::Report End

ewido log dated 5/2:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:15:34 AM, 5/2/2006
+ Report-Checksum: 70ABD760

+ Scan result:

C:\brenda\crochet\PizzaFrenzySetup-dm.exe -> Adware.Trymedia : Cleaned with backup
C:\Documents and Settings\Brenda G\rar.exe -> Dropper.VB.mn : Cleaned with backup
C:\iexplore.exe -> Dropper.VB.mn : Cleaned with backup
C:\Program Files\BE Network\bin\slidev.exe -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\BE Network\bin\slidex.exe -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1FF540FC-E952-435D-883B-C0005D\ADFFB5C2-B952-43BE-8CA9-088C80 -> Adware.Look2Me : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3A982B05-0923-405F-9EC8-F3CA15\78B287C0-F42F-439B-8C86-B990BF -> Adware.CommAd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3A982B05-0923-405F-9EC8-F3CA15\AFA74898-ECAB-4118-BDCA-E7A404 -> Adware.CommAd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3E82D19C-DD2D-4368-933D-D29430\7924128E-EA59-490B-90A6-BFD6E2 -> Adware.Look2Me : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\5CB524FD-645F-4554-862A-34F452\0F981CF3-281D-4A47-A948-29DA40 -> Adware.Softomate : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7181CF25-927F-485F-A63E-360036\34F9896B-7ADC-4798-B3C7-57528D -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AAB7C906-348F-42B1-8528-DCB734\3889462A-02A5-4EEB-B8CE-91B6DF -> Adware.CommAd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\AAB7C906-348F-42B1-8528-DCB734\DABBD61C-CFD2-4621-AF84-DD30CE -> Adware.CommAd : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C2CABE17-4C9B-4D24-AC6A-E6C7EA\D3410847-EB82-4B25-BE14-E689FD -> Adware.Look2Me : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C385264B-14BE-4E72-8AAE-831304\FD03DA2D-3372-477C-9769-A7A843 -> Hijacker.Small.jf : Cleaned with backup
C:\Program Files\Toolbar888\ToolBar888.dll -> Adware.Softomate : Cleaned with backup
C:\Program Files\Viehp\Cache\000041da_43d3e510_0007a120 -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\Program Files\Viehp\Cache\00005772_43d16fb5_000aba95 -> Downloader.IstBar.j : Cleaned with backup
C:\Program Files\Viehp\Cache\00005d24_43c93fa4_00000000 -> Downloader.IstBar.j : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\imloader.exe -> Not-A-Virus.Downloader.Win32.ImLoader.c : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\iconu.exe -> Adware.Zestyfind : Cleaned with backup
C:\WINDOWS\inst_adperform.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\setup.exe -> Downloader.VB.abh : Cleaned with backup
C:\WINDOWS\system32\pwha.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned with backup
C:\WINDOWS\system32\wsvdmod.dll -> Adware.Look2Me : Cleaned with backup

::Report End

panda log

Incident Status Location

Adware:adware/ideskbar Not disinfected c:\windows\system32\close.bmp
Adware:adware/exact.bargainbuddy Not disinfected c:\windows\system32\exclean.exe
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.5.inf
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UERS_0001_N68M1801NetInstaller.exe
Adware:adware/secure32 Not disinfected c:\secure32.html
Spyware:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Adware:adware/cws.searchmeup Not disinfected c:\windows\uniq
Adware:adware/maxifiles Not disinfected c:\program files\common files\Windows
Adware:adware/yazzlesudoku Not disinfected Windows Registry
Adware:adware/searchaid Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/powerscan Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected HKEY_CLASSES_ROOT\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@ads.pointroll[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@errorsafe[2].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@linksynergy[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@maxserving[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@winfixer[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@www.errorsafe[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brenda G\Desktop\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brenda G\Desktop\l2mfix.exe[l2mfix/Process.exe]
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Brenda G\Local Settings\Temp\ICD4.tmp\UERS_0001_N68M1801NetInstaller.exe
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Brenda G\Local Settings\Temporary Internet Files\Content.IE5\Z86R5Y5M\ErrorSafeFreeInstall[1].cab[UERS_0001_N68M1801NetInstaller.exe]
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\BE Network\bin\context.exe
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\system32\P2P Networking v126.cpl
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
trackqoo file

Dim Def,Wshsell,FN,fso,Report,SysF,SS

const HKEY_CLASSES_ROOT = &H80000000

Set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.Shell")

Wshshell.Run "regedit /e /a Report.txt" & " " & "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",, True
Set Report = fso.OpenTextFile("Report.txt",8 , true)

Report.WriteLine "-----------------"

strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "*\shellex\ContextMenuHandlers"
oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys

On error Resume Next
Err.Clear
Def = Wshshell.RegRead ("HKCR\" & strKeyPath & "\" & subkey & "\")

On Error Resume Next
FN = Wshshell.RegRead("HKCR\CLSID\" & Def & "\InprocServer32\")
If not FN Then
FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\")
End IF

FN = WshShell.ExpandEnvironmentStrings(FN)

Msg = Msg & vbcrlf & "Subkey --- " & subkey & vbcrlf & Def & vbcrlf & FN & vbcrlf
Err.Clear

Def = ""
FN = ""
Next

Report.WriteLine "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers"
Report.WriteLine
Report.Write Msg

'---------------------

Dim Mess

Report.WriteLine
Report.WriteLine "====================="
Report.WriteLine

strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "Folder\shellex\ColumnHandlers"
oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys
For Each subkey In arrSubKeys

On error Resume Next
Err.Clear

On Error Resume Next

FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\")
FN = WshShell.ExpandEnvironmentStrings(FN)

Mess = Mess & vbcrlf & "Subkey --- " & subkey & vbcrlf & FN & vbcrlf
Err.Clear

FN = ""
Next

Report.WriteLine "HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers"
Report.WriteLine
Report.Write Mess

Report.Writeline
Report.WriteLine "=============================="

Dim SU ,s ,f,f1, C
SU = Wshshell.SpecialFolders("AllUsersStartup")
Report.WriteLine SU

Set f = fso.getFolder(SU)
Set fc = f.files
For Each f1 in fc
Set C = fso.GetFile(f1)
s = s & C.name & vbcrlf

Next

Report.Writeline
Report.Write s

'-----------------------------
Report.Writeline "=============================="

SU = Wshshell.SpecialFolders("Startup")
Report.WriteLine SU

Set f = fso.getFolder(SU)
Set fc = f.files
For Each f1 in fc
Set C = fso.GetFile(f1)
s = s & C.name & vbcrlf

Next

Report.Writeline
Report.Write s

'-----------------------------
Report.Writeline "=============================="

dim Q, cpl, Sys ,Maker

Sys = fso.GetSpecialFolder(1)

Report.Writeline Sys & " cpl files"
Report.Writeline

set f = Fso.getFolder(Sys)
set fc =f.files
for each f1 in fc
IF LCASE(Right(fso.GetFileName(f1),4)) = ".cpl" Then
Q = f1.path

Q = Replace (Q, "\", "\\")
Set cpl = GetObject("winmgmts:root\cimv2").Get _
("CIM_DataFile.Name=""" & Q & """")

Maker = cpl.Manufacturer

Q = Replace (Q, "\\", "\")

On error resume next
Report.write vbcrlf & f1.name & Space(30 - len(f1.name)) & Maker

Err.Clear
End IF
Next

Report.close
WshShell.run "Notepad Report.txt"

Set fso = Nothing
Set Maker = Nothing
Set Report = Nothing
Set cpl = Nothing
Set f = Nothing
Set fc = Nothing
Set C = Nothing
Set oReg = Nothing
Set Wshshell = Nothing

hijack this log dated 4/14

Logfile of HijackThis v1.99.1
Scan saved at 10:39:53 PM, on 4/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\utilities\movie factory\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

this respond is huge sorry about that ,, i did end up getting ewido to scan there were 1 or 2 logs that i didnt get to save because of having to shuting down my pc....
I couldnt get winpfind to work for some reason
and to your question about how my pc is running.. its slower now than its been but i dont get as many pop up ,, but i dont have a popup stopper , so im guessing thats why im getting a few popups

**Glaswegian** · 05-04-2006, 04:03 PM

Hi again

You did well.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.

Please create a uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notebook onto your post

Click on the zip file attached to this post to open and extract the file babbs.reg to your desktop. Double click on the file babbs.reg to run it. Answer yes to any prompts and allow it to merge into the Registry.

Download SilentRunners.
Right click & choose Save As --> Save it to Desktop. Make sure you have disabled any programs that may block/disable scripts (like your anti-virus or anti-spyware programs -- if you're going to disable these, then disconnect from the Internet for this step). Double-click Silent Runners to run it. This will take a few minutes, and will create a file called "Startup Programs" followed by your computer name and current date.

Open up that file and post all its contents here in your next post.

Please run CleanUp! again.

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

File Deletions
Delete the following Files indicated in RED if they still exist.

c:\windows\system32\close.bmp
c:\windows\system32\exclean.exe
c:\windows\downloaded program files\f3initialsetup1.0.0.5.inf
c:\windows\downloaded program files\UERS_0001_N68M1801NetInstaller.exe
c:\ secure32.html <- - Go to Start > Search to find this file
c:\windows\smdat32m.sys
c:\windows\uniq
C:\Program Files\BE Network\bin\context.exe
C:\WINDOWS\system32\P2P Networking v126.cpl

Reboot
Reboot your system in Normal Mode.

Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.
Copy and paste that information in your next post.

Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Logs required
Uninstall List
SilentRunners
Kaspersky Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems.

babbs · 05-05-2006, 03:32 AM

I cant seem to run Kaspersky webscanner. When I click on the link to it comes up with a accept or decline key after reading the info. but when i click accept it doesnt do anything but if i click on decline it shuts that box down and nothing, is there another scanner i can use or just try later?

babbs · 05-05-2006, 05:42 AM

I just have a simple question about my profile on techsupportforum , is there anyway that i can change my time zone . .i wasnt sure how that GMT went and my time is like 4 hours off ?

thanks again for the help

**Glaswegian** · 05-05-2006, 05:46 AM

Hi

Is your IE working OK? We'll try again later - I'm at work so don't have access to my files. Did SilentRunners go OK? Post whatever logs you now have and we'll take it from there.

Click on 'UserCP' at the top left of this page - that's your Control Panel - you can change the time settings in one of the options there.

babbs · 05-05-2006, 03:40 PM

ok. my IE is working good,, silent runner went ok. But i did try to do another scan at Kasper after i got home after work, but still nothing when i try to hit accept and the prompt for active x never came up. Here are the logs that you wanted and I put 2 hijackthis logs, 1 from the beginning when going to configure and then 1 at the end, since im not sure if anything would change from the beginning process to the end

but it says that my post is tooo long so i will send it to you in a text file but if you want i can send it all separately

04-14-2006, 05:48 AM	#1 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	popups, worms, and system problems ...pls help !!! I tried all the scans before posting, I cant seem to stop the popups, and my system likes to shut down if I dont shut the popups quick enough. So I am posting my HJT log.. pls help !!! Logfile of HijackThis v1.99.1 Scan saved at 8:44:32 AM, on 4/14/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Brendas%20blank.HTM R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\blank1.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\blank1.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://red.clientapps.yahoo.com/cust...//my.yahoo.com F3 - REG:win.ini: load=?????? ????? F2 - REG:system.ini: UserInit=userinit.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\utilities\movie factory\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe O4 - HKLM\..\Run: [w008ec8b.dll] RUNDLL32.EXE w008ec8b.dll,I2 000284cc0008ec8b O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKCU\..\Run: [Voswxaa] C:\WINDOWS\system32\s?stem32\regedit.exe O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\dn8801lue.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

04-14-2006, 07:36 AM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi babbs and welcome to TSF. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. You have a few things so let’s try and get rid of the pop ups first. Please Download Look2Me-Destroyer and save the file to your desktop. * Print out these instructions and close ALL windows before continuing. * Double-click Look2Me-Destroyer.exe to run it. * Put a check next to "Run this program as a task". * You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Click OK. * When Look2Me-Destroyer re-opens, click the "Scan for L2M button", your desktop icons will disappear, this is normal. * Once it's done scanning, click the "Remove L2M button". * You will receive a "Done Scanning message", click OK. * When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click OK. * Your computer will then shutdown. * Turn your computer back on. * Please post the contents of C:\Look2Me-Destroyer.txt at the end of this fix. If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX and place it in your C:\Windows\System32 Directory. Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip Run the program and click the Web button as shown here: Use this URL to copy into the address bar of the Download script window: http://metallica.geekstogo.com/alcanshorty.bfu Execute the script by clicking the Execute button. When it finishes running, click the Save button for a copy of the log Post the log created by the script when you have completed the fix If you have any questions about the use of BFU please read here: http://metallica.geekstogo.com/BFUinstructions.html Rescan with HijackThis and post a fresh log. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner Last edited by Glaswegian; 04-14-2006 at 07:38 AM.

04-14-2006, 10:51 AM	#3 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	popup con't... here are the contents of my scans Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 4/14/2006 1:05:12 PM Infected! C:\WINDOWS\system32\k408ledu1h08.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161613.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161623.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161659.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161661.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0162664.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165668.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165685.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165689.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0166688.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167688.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167718.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167726.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167736.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167737.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167748.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP516\A0168382.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP517\A0168547.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0168758.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0169548.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170545.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170555.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170570.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170576.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171576.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171586.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171590.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171593.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171596.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171597.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171635.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171674.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171684.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171758.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171763.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171778.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171781.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171791.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171810.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171816.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171819.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171820.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171824.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171826.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171830.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171895.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171899.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171901.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171905.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0172904.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173904.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173916.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173925.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0174925.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175916.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175921.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175922.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176014.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176015.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177014.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177051.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177059.dll Infected! C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177060.dll Infected! C:\WINDOWS\system32\dn4s01h7e.dll Infected! C:\WINDOWS\system32\dnl0013me.dll Infected! C:\WINDOWS\system32\dRdxof.dll Infected! C:\WINDOWS\system32\en2ql1f51.dll Infected! C:\WINDOWS\system32\fpjs0317e.dll Infected! C:\WINDOWS\system32\g240lchm1f4a.dll Infected! C:\WINDOWS\system32\h82o0if3e82.dll Infected! C:\WINDOWS\system32\hazsnt12.dll Infected! C:\WINDOWS\system32\hr0u05d9e.dll Infected! C:\WINDOWS\system32\hr8605lse.dll Infected! C:\WINDOWS\system32\hr8s05l7e.dll Infected! C:\WINDOWS\system32\irjml5111.dll Infected! C:\WINDOWS\system32\jt4207hoe.dll Infected! C:\WINDOWS\system32\jt6607jse.dll Infected! C:\WINDOWS\system32\k408ledu1h08.dll Infected! C:\WINDOWS\system32\k8lq0i35e8.dll Infected! C:\WINDOWS\system32\ktdus.dll Infected! C:\WINDOWS\system32\ktjml7111.dll Infected! C:\WINDOWS\system32\lv6o09j3e.dll Infected! C:\WINDOWS\system32\mHg_hook.dll Infected! C:\WINDOWS\system32\mjdtcprx.dll Infected! C:\WINDOWS\system32\o884lilq18qe.dll Infected! C:\WINDOWS\system32\s288lclu1fq8.dll Infected! C:\WINDOWS\System32\guard.tmp Attempting to delete infected files... Attempting to delete: C:\WINDOWS\system32\k408ledu1h08.dll C:\WINDOWS\system32\k408ledu1h08.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161613.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161613.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161623.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161623.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161659.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161659.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161661.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0161661.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0162664.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP510\A0162664.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165668.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165668.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165685.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165685.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165689.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0165689.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0166688.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0166688.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167688.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167688.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167718.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167718.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167726.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167726.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167736.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167736.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167737.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167737.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167748.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP511\A0167748.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP516\A0168382.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP516\A0168382.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP517\A0168547.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP517\A0168547.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0168758.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0168758.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0169548.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0169548.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170545.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170545.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170555.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170555.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170570.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170570.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170576.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0170576.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171576.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171576.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171586.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171586.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171590.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171590.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171593.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP518\A0171593.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171596.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171596.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171597.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171597.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171635.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171635.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171674.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171674.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171684.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171684.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171758.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171758.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171763.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171763.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171778.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171778.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171781.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171781.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171791.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171791.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171810.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171810.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171816.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171816.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171819.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171819.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171820.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171820.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171824.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171824.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171826.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171826.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171830.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171830.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171895.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171895.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171899.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171899.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171901.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171901.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171905.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0171905.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0172904.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP519\A0172904.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173904.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173904.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173916.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173916.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173925.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0173925.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0174925.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0174925.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175916.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175916.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175921.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175921.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175922.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP520\A0175922.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176014.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176014.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176015.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0176015.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177014.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177014.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177051.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177051.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177059.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177059.dll Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177060.dll C:\System Volume Information\_restore{3D7A16A6-E25D-4F0A-AD55-2D68795D5B33}\RP522\A0177060.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\dn4s01h7e.dll C:\WINDOWS\system32\dn4s01h7e.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\dnl0013me.dll C:\WINDOWS\system32\dnl0013me.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\dRdxof.dll C:\WINDOWS\system32\dRdxof.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\en2ql1f51.dll C:\WINDOWS\system32\en2ql1f51.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\fpjs0317e.dll C:\WINDOWS\system32\fpjs0317e.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\g240lchm1f4a.dll C:\WINDOWS\system32\g240lchm1f4a.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\h82o0if3e82.dll C:\WINDOWS\system32\h82o0if3e82.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\hazsnt12.dll C:\WINDOWS\system32\hazsnt12.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\hr0u05d9e.dll C:\WINDOWS\system32\hr0u05d9e.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\hr8605lse.dll C:\WINDOWS\system32\hr8605lse.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\hr8s05l7e.dll C:\WINDOWS\system32\hr8s05l7e.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\irjml5111.dll C:\WINDOWS\system32\irjml5111.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\jt4207hoe.dll C:\WINDOWS\system32\jt4207hoe.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\jt6607jse.dll C:\WINDOWS\system32\jt6607jse.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\k408ledu1h08.dll C:\WINDOWS\system32\k408ledu1h08.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\k8lq0i35e8.dll C:\WINDOWS\system32\k8lq0i35e8.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\ktdus.dll C:\WINDOWS\system32\ktdus.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\ktjml7111.dll C:\WINDOWS\system32\ktjml7111.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\lv6o09j3e.dll C:\WINDOWS\system32\lv6o09j3e.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\mHg_hook.dll C:\WINDOWS\system32\mHg_hook.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\mjdtcprx.dll C:\WINDOWS\system32\mjdtcprx.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\o884lilq18qe.dll C:\WINDOWS\system32\o884lilq18qe.dll Deleted successfully! Attempting to delete: C:\WINDOWS\system32\s288lclu1fq8.dll C:\WINDOWS\system32\s288lclu1fq8.dll Deleted successfully! Attempting to delete: C:\WINDOWS\System32\guard.tmp C:\WINDOWS\System32\guard.tmp Deleted successfully! Making registry repairs. Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1D144333-A75A-4CAB-B419-E2D56C762B9F}" HKCR\Clsid\{1D144333-A75A-4CAB-B419-E2D56C762B9F} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{936F9E4C-637D-4EAC-9816-4ACA5F7A4F7A}" HKCR\Clsid\{936F9E4C-637D-4EAC-9816-4ACA5F7A4F7A} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{089F0804-9A4C-4432-803C-9294CF313D4C}" HKCR\Clsid\{089F0804-9A4C-4432-803C-9294CF313D4C} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{134E99F5-D0C8-41F0-8D53-9D808B19BB5F}" HKCR\Clsid\{134E99F5-D0C8-41F0-8D53-9D808B19BB5F} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B7E554BE-D491-4EC8-B375-9D4C340AD0E0}" HKCR\Clsid\{B7E554BE-D491-4EC8-B375-9D4C340AD0E0} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded ====================================================== BFU v1.00.9 Windows XP SP1 (WinNT 5.01.2600 SP1) Script started at 1:41:38 PM, on 4/14/2006 Failed: DllUnregister C:\WINDOWS\DH.dll\|1 (file not found) Failed: ServiceStop Network Monitor (service not found) Failed: ServiceStop cmdService (service not found) Failed: ServiceDisable Network Monitor (service not found) Failed: ServiceDisable cmdService (service not found) Failed: ServiceDelete Network Monitor (service not found) Failed: ServiceDelete cmdService (service not found) Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa\|p2pnetwork (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\|LowRiskFileTypes (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} (key not found) Option pause between commands: 300 ms Option pause between commands: 50 ms Failed: FolderDelete C:\Program Files\MsConfigs (folder not found) Failed: FolderDelete C:\Program Files\winupdates (folder not found) Failed: FolderDelete C:\Program Files\winupdate (folder not found) Failed: FolderDelete C:\Program Files\winsupdater (folder not found) Failed: FolderDelete C:\Program Files\MsUpdate (folder not found) Failed: FolderDelete C:\Program Files\MsMovies (folder not found) Failed: FolderDelete C:\Program Files\wmplayer (folder not found) Failed: FolderDelete C:\Program Files\outlook (folder not found) Failed: FileDelete C:\Program Files\Common Files\Download\mc--.exe (operation failed) Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Perflib_Perfdata_11c.dat (operation failed) Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Perflib_Perfdata_d3c.dat (operation failed) Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF5343.tmp (operation failed) Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF5428.tmp (operation failed) Failed: FileDelete C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF8FE9.tmp (operation failed) Failed: FolderDelete C:\Program Files\Maxifiles (folder not found) Failed: FolderDelete C:\Program Files\DNS (folder not found) Failed: FolderDelete C:\Program Files\EQAdvice (folder not found) Failed: FolderDelete C:\Program Files\FCAdvice (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found) Failed: FolderDelete C:\Program Files\Network Monitor (folder not found) Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found) Failed: FolderDelete C:\Program Files\Update06 (folder not found) Failed: FileMove C:\WINDOWS\win-.exe\|C:\bintheredunthat (source file not found) Script completed. =========================================== Logfile of HijackThis v1.99.1 Scan saved at 1:47:26 PM, on 4/14/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\NaviSearch\bin\nls.exe C:\WINDOWS\system32\s?stem32\regedit.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Brendas%20blank.HTM R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\blank1.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://red.clientapps.yahoo.com/cust...//my.yahoo.com F3 - REG:win.ini: load=?????? ????? F2 - REG:system.ini: UserInit=userinit.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\utilities\movie factory\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL O4 - HKLM\..\Run: [w008ec8b.dll] RUNDLL32.EXE w008ec8b.dll,I2 000284cc0008ec8b O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKCU\..\Run: [Voswxaa] C:\WINDOWS\system32\s?stem32\regedit.exe O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe thanks for the help .. so far didnt get that many pop ups

04-14-2006, 12:43 PM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Well done so far – a bit more work now though. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. Show Hidden Files Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later. Download Ewido Anti-Malware Install Ewido Anti-Malware When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido. When you have finished updating, EXIT Ewido. Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. DO NOT run it yet! Download Track qoo (TQ.zip) Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet! Run CleanUp! NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program and reboot when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. Uninstall Programmes Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present): Navisearch HijackThis Entries Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Brendas%20blank.HTM R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\blank1.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://red.clientapps.yahoo.com/cust...//my.yahoo.com F3 - REG:win.ini: load=?????? ????? O4 - HKLM\..\Run: [w008ec8b.dll] RUNDLL32.EXE w008ec8b.dll,I2 000284cc0008ec8b O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKCU\..\Run: [Voswxaa] C:\WINDOWS\system32\s?stem32\regedit.exe O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. File Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\NaviSearch C:\WINDOWS\system32\s?stem32 <- - Look for this folder in your existing system32 folder w008ec8b.dll <- - Go to Start > Search to find this file Run WinPFind Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is complete it will make a txt file (log) of what was found. 1. Go to the WinPFind folder 2. Locate WinPFind.txt 3. Please post those results in your next post. Run Ewido Run Ewido with it's updated definitions (...it's important that all windows must be closed) Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans with Ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If Ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now. When the scan is finished, click the Save Report button at the bottom of the screen. Save the report to your desktop Close Ewido NOTE: Ewido scan will require at least an hour. Reboot Reboot your system in Normal Mode. Run TrackQoo Double Click on "Track qoo.vbs" Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this entire script to run, its harmless! Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner. 1. Click Check Now and a "pop up" window will appear. Please ensure that your pop up blocker doesn't block it 2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required Ewido Log Panda Log WinPFind.txt TrackQoo file HijackThis Log Please also advise how your system is performing now. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

04-15-2006, 05:53 AM	#5 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	having problem Ive been trying to go through the process that you gave me, but when i get to WinPFind, i keep getting a windows alert stating: Windows- Virtual Memory Minimum too low: your systems is low on virtual memory, windows is increasing the size of your virtual memory paging file. Some applications may be denied... that being said, I let winpfind just keep running since yesterday but it wont finish, it ran for about 8 hours straight and it still wont finish .. any other suggestions?

04-15-2006, 06:35 AM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi babbs Are you running it from Safe Mode - with no other applications open? Did you follow the instructions in the exact order I listed them? CleanUp! should have cleared out your temp files etc and regained some hard disc space. In safe mode there will only be minimal drivers etc running so you should be OK on memory. It might be worth trying the download again, in case the first one was corrupt in some way. Please try again and let me know what happens.

04-15-2006, 07:51 AM	#7 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	retried I was in safe mode with nothing else running and i did follow directions in exact order. I did try and redownload winpfind and run it again , but still getting the same alert about the virtual memory, so i tried to go back to the beginning of the instructions and ran cleanup again it keeps deleting a few files so what i did was restart and it still picks up files to delete. Im not sure if this has anyhthing to do with it but there are 2 files it says its deleting but it doesnt seem to delete because ever time i reboot or shut my pc down these 2 files say they have to be shut down C:\WINDOWS\Prefetch\MSJIDQ.EXE-213F3563.pf - deleted C:\WINDOWS\Prefetch\WEBVCDEX.EXE-2D54BE5C.pf - deleted here is a log of my clean up : but if I wasnt going on the internet should i have been getting temp internet files? C:\Documents and Settings\Brenda G\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted. 'Typed URLs' (Internet Explorer) - removed from the registry. C:\Documents and Settings\Brenda G\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Perflib_Perfdata_e58.dat currently in use. Will be deleted when Windows is restarted. C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF8D94.tmp currently in use. Will be deleted when Windows is restarted. C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF9FD5.tmp currently in use. Will be deleted when Windows is restarted. C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\Perflib_Perfdata_e58.dat currently in use. Will be deleted when Windows is restarted. C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF8D94.tmp currently in use. Will be deleted when Windows is restarted. C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\~DF9FD5.tmp currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\LocalService.NT AUTHORITY.000\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Local Settings\Temp\Perflib_Perfdata_e58.dat currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Local Settings\Temp\~DF8D94.tmp currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Local Settings\Temp\~DF9FD5.tmp currently in use. Will be deleted when Windows is restarted. C:\Documents and Settings\Brenda G\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\WINDOWS\Prefetch\CLI.EXE-20D5A08B.pf - deleted C:\WINDOWS\Prefetch\MSJIDQ.EXE-213F3563.pf - deleted C:\WINDOWS\Prefetch\WEBVCDEX.EXE-2D54BE5C.pf - deleted 'Run MRU' list - removed from the registry. WordPad Recent File List - removed from the registry. Telnet's MRU list - removed from the registry. CleanUp! 4.0 recovered 79.9 KB of disk space from 3 files. CleanUp! finished on 04/15/06 10:40:16.

04-15-2006, 08:17 AM	#8 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Many of those files are created and then deleted by Windows. so don't worry. Ignore WinPFind just now and proceed with the rest of the fix. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

04-15-2006, 03:50 PM	#9 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	Still Having Problems I tried to skip to ewido scan and have so many infected files that it runs for about an hour and a half to two hours. And comes up with the same windows alert about virtual memory. And again running in safe mode with nothing else running. Any new suggestions? There's like 13000 infected files. Can I just check "preform action with all infections" to remove all infected files?

04-16-2006, 03:12 AM	#10 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Yes remove the infected files. If the log Ewido produces is too long to post, copy and paste it into a Notepad file and attach the file to your next post. There is a button 'Manage Attachments' beneath the 'Post Reply' box. Let me know if you need any help with that. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

04-18-2006, 05:27 AM	#11 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	Im still having problems with ewido, i check the box to remove all, but when it finished finding 13166 infected objects , it came up with yes/no box because all the infected files were embedded so I have my enter button taped down because after about 1 1/2 hours it came up with virtual memory problem again but it cleaned 6737 objects so far. Should I just keep it how it is with the tape on the enter key and wait for the files to finish? thanks again, i know im being a pain but I dont know what else to do

04-18-2006, 01:13 PM	#12 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again As you can see Ewido is very efficient. And you are not being a pain - better to ask a question - always. No matter what we do, those files will need cleaned in some way, so I'm afraid you need to keep going. You are doing a great job - don't give up now! Once Ewido has finished, the online scan will be quicker. Remember to save the Ewido logs, even if it's bit by bit. Post back if you need any more help. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

05-01-2006, 06:42 PM	#13 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	ran into another problem.... I finally got ewido to scan the one directory that had the 13000+ infected objects and i got the log for that part, but i didnt get to finish a complete scan. I tried to reboot so it would speed up my pc but when i rebooted in safe mode again and tried to run ewido it first came up with the protection expired so i hit OK .. and i got 2 more filed deleted, but it wouldnt save that log it just hung up on me. So i tried to reboot and ewido just hangs. Should I just try and shut my pc down overnight and see what happens? or should i just try and proceeds with the rest of the instructions that you gave me ? thanks again

05-02-2006, 05:42 AM	#14 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi babbs Time to move on - go with the rest of the fix and post any logs you have. That will give us somewhere to start and we can perhaps try Ewido again later. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

05-04-2006, 02:56 AM	#15 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	some logs i have most of the logs ... ewido log dated 4/15 --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 9:14:56 PM, 4/15/2006 + Report-Checksum: 140755FA + Scan result: HKLM\SOFTWARE\Classes\CLSID\{073C7FC6-8137-7BA8-FC4D-8518F53DD1BA} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{09042C0B-ADA3-569D-410C-F824C588F805} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{0B1EE411-AA39-3697-5178-CE2DA69880D8} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{0DC9678A-0260-8CEB-0563-594D9FB02903} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{12F72849-7A03-E428-0E12-0915087880FF} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{1DCBFC66-4990-8A75-0B4D-74D7B850CC29} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{29CAABAC-A010-A9C2-B119-3F6044E0AF6D} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{322FB8F1-4225-C16E-7E8B-C92AF7A198BD} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{36E15370-5FD0-D1EC-3368-C6A73C8F506F} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{39652FC9-57E8-9F1F-F728-8F55D9E5F49F} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{45735144-763F-14AF-585D-A8C411A2567D} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{4BBEC0FD-DA38-B544-F1BF-7C2CC424B596} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{52BF7431-38AF-F288-81A9-E5DD23CF1ECF} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{538D316B-A3A2-1200-EE47-1BEF8BCDD755} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{57C0C13E-E95C-411D-BCD9-A537E6B2AA24} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{5E880ABF-397E-7169-9342-D26277AB758A} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{6824A711-0D9B-543C-AEA6-1F3DD4847F3E} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{6982F8EB-30D8-8961-789D-1F285B499CAE} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{6A3BB01D-5411-3AF3-1EF2-EC21C6B41EAD} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{6C3402C2-3A3A-A516-2790-602FF5091C3B} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{6F61BA9A-5EA1-7903-5454-DCA081431490} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{70A958A9-264F-9AC5-C44F-6C683E36E06F} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{75F61DED-E153-F229-9AB9-8E94124F8BCC} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{7FDF80D6-8DD1-87AC-455C-99F26D3210FB} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{80E8CD34-35DC-961E-EADE-11A17381D170} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{825929FA-938D-0933-A4AB-393513D1CAF5} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{8D4FBE2D-404E-877D-0359-34F79402CC75} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{90BABD6B-DA3D-2814-4B15-345BCAAC2F67} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{90BB89A8-5B4A-68E8-7401-A7595938B8F3} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{9819E734-ABC7-8536-E943-A461C8EBAC8C} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{9D392CE1-0E98-05C3-BB34-7FC5B9D8D07E} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{9DDAA18F-013F-A1BB-68F3-A676F7B91F7A} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{A2E2EDE4-E2D3-F3DF-1F23-8C3BEE10E0AA} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{A4881825-4CC9-B4CE-6290-C430E5E901F8} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{A9B63F00-46F6-794A-3935-C204BC7E0785} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{B1318C42-3375-85F2-0B8B-DD594A7686D3} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{BEC227BD-6A8F-E5C9-B843-3F5517456552} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{BFB065A2-4F3C-61BB-4A5B-FA6D452D3EAC} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{CB61DEDF-E312-A962-E41A-8D231515AAF0} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{CDEF49C0-C459-D011-A77F-C683BBFBF72B} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{D1B77085-930D-7845-2B1E-10B33DE519D9} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{D2ABAA1C-3D1A-AA15-B41E-6D61C89C2341} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{D4B62290-D1BC-E419-EF26-71766EF1A30E} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{D6F7942A-2903-FD22-A0E5-7716B284A428} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{DAD64CB5-6A52-35C2-38BD-73771485436C} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{E0AB80CE-D9B6-AA3C-04B0-CAB826F2291F} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{E68315F1-B546-67BA-D301-A1A15F225655} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{EAB86C94-75BA-4E15-5B61-F49CC5FF8606} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{EDCEAC15-AF3E-C5F1-8804-D0FCA512F9C1} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{F1A4571F-46C9-C368-C70C-9911C42A8A18} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{F97F2532-4324-0DA9-21C3-64C1650A6515} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{FB2B91F2-20FB-CDCE-D34A-E50E5910E44F} -> Adware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Classes\CLSID\{FE91C2E0-AC39-4A6A-04FE-D8C6B10B23F3} -> Adware.CoolWebSearch : Cleaned with backup ::Report End ewido log dated 5/2: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 7:15:34 AM, 5/2/2006 + Report-Checksum: 70ABD760 + Scan result: C:\brenda\crochet\PizzaFrenzySetup-dm.exe -> Adware.Trymedia : Cleaned with backup C:\Documents and Settings\Brenda G\rar.exe -> Dropper.VB.mn : Cleaned with backup C:\iexplore.exe -> Dropper.VB.mn : Cleaned with backup C:\Program Files\BE Network\bin\slidev.exe -> Adware.BargainBuddy : Cleaned with backup C:\Program Files\BE Network\bin\slidex.exe -> Adware.BargainBuddy : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\1FF540FC-E952-435D-883B-C0005D\ADFFB5C2-B952-43BE-8CA9-088C80 -> Adware.Look2Me : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\3A982B05-0923-405F-9EC8-F3CA15\78B287C0-F42F-439B-8C86-B990BF -> Adware.CommAd : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\3A982B05-0923-405F-9EC8-F3CA15\AFA74898-ECAB-4118-BDCA-E7A404 -> Adware.CommAd : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\3E82D19C-DD2D-4368-933D-D29430\7924128E-EA59-490B-90A6-BFD6E2 -> Adware.Look2Me : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\5CB524FD-645F-4554-862A-34F452\0F981CF3-281D-4A47-A948-29DA40 -> Adware.Softomate : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\7181CF25-927F-485F-A63E-360036\34F9896B-7ADC-4798-B3C7-57528D -> Adware.NewDotNet : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\AAB7C906-348F-42B1-8528-DCB734\3889462A-02A5-4EEB-B8CE-91B6DF -> Adware.CommAd : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\AAB7C906-348F-42B1-8528-DCB734\DABBD61C-CFD2-4621-AF84-DD30CE -> Adware.CommAd : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\C2CABE17-4C9B-4D24-AC6A-E6C7EA\D3410847-EB82-4B25-BE14-E689FD -> Adware.Look2Me : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\C385264B-14BE-4E72-8AAE-831304\FD03DA2D-3372-477C-9769-A7A843 -> Hijacker.Small.jf : Cleaned with backup C:\Program Files\Toolbar888\ToolBar888.dll -> Adware.Softomate : Cleaned with backup C:\Program Files\Viehp\Cache\000041da_43d3e510_0007a120 -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup C:\Program Files\Viehp\Cache\00005772_43d16fb5_000aba95 -> Downloader.IstBar.j : Cleaned with backup C:\Program Files\Viehp\Cache\00005d24_43c93fa4_00000000 -> Downloader.IstBar.j : Cleaned with backup C:\WINDOWS\Downloaded Program Files\imloader.exe -> Not-A-Virus.Downloader.Win32.ImLoader.c : Cleaned with backup C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup C:\WINDOWS\iconu.exe -> Adware.Zestyfind : Cleaned with backup C:\WINDOWS\inst_adperform.exe -> Adware.BargainBuddy : Cleaned with backup C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup C:\WINDOWS\setup.exe -> Downloader.VB.abh : Cleaned with backup C:\WINDOWS\system32\pwha.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned with backup C:\WINDOWS\system32\wsvdmod.dll -> Adware.Look2Me : Cleaned with backup ::Report End panda log Incident Status Location Adware:adware/ideskbar Not disinfected c:\windows\system32\close.bmp Adware:adware/exact.bargainbuddy Not disinfected c:\windows\system32\exclean.exe Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.5.inf Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UERS_0001_N68M1801NetInstaller.exe Adware:adware/secure32 Not disinfected c:\secure32.html Spyware:application/bestoffer Not disinfected c:\windows\smdat32m.sys Adware:adware/cws.searchmeup Not disinfected c:\windows\uniq Adware:adware/maxifiles Not disinfected c:\program files\common files\Windows Adware:adware/yazzlesudoku Not disinfected Windows Registry Adware:adware/searchaid Not disinfected Windows Registry Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239} Adware:adware/powerscan Not disinfected Windows Registry Potentially unwanted tool:application/altnet Not disinfected HKEY_CLASSES_ROOT\Interface\{CE9B37EC-D243-47A2-83DB-3A8350175193} Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@ad.yieldmanager[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@ads.pointroll[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@errorsafe[2].txt Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@linksynergy[2].txt Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@maxserving[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@tribalfusion[1].txt Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@winfixer[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Brenda G\Cookies\brenda g@www.errorsafe[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brenda G\Desktop\l2mfix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brenda G\Desktop\l2mfix.exe[l2mfix/Process.exe] Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Brenda G\Local Settings\Temp\ICD4.tmp\UERS_0001_N68M1801NetInstaller.exe Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\Brenda G\Local Settings\Temporary Internet Files\Content.IE5\Z86R5Y5M\ErrorSafeFreeInstall[1].cab[UERS_0001_N68M1801NetInstaller.exe] Adware:Adware/Exact.BargainBuddy Not disinfected C:\Program Files\BE Network\bin\context.exe Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\system32\P2P Networking v126.cpl Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe trackqoo file Dim Def,Wshsell,FN,fso,Report,SysF,SS const HKEY_CLASSES_ROOT = &H80000000 Set fso = Wscript.CreateObject("Scripting.FilesystemObject") Set Wshshell = Wscript.CreateObject("Wscript.Shell") Wshshell.Run "regedit /e /a Report.txt" & " " & "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",, True Set Report = fso.OpenTextFile("Report.txt",8 , true) Report.WriteLine "-----------------" strComputer = "." Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "\shellex\ContextMenuHandlers" oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys For Each subkey In arrSubKeys On error Resume Next Err.Clear Def = Wshshell.RegRead ("HKCR\" & strKeyPath & "\" & subkey & "\") On Error Resume Next FN = Wshshell.RegRead("HKCR\CLSID\" & Def & "\InprocServer32\") If not FN Then FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\") End IF FN = WshShell.ExpandEnvironmentStrings(FN) Msg = Msg & vbcrlf & "Subkey --- " & subkey & vbcrlf & Def & vbcrlf & FN & vbcrlf Err.Clear Def = "" FN = "" Next Report.WriteLine "HKEY_CLASSES_ROOT\\shellex\ContextMenuHandlers" Report.WriteLine Report.Write Msg '--------------------- Dim Mess Report.WriteLine Report.WriteLine "=====================" Report.WriteLine strComputer = "." Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "Folder\shellex\ColumnHandlers" oReg.EnumKey HKEY_CLASSES_ROOT, strKeyPath, arrSubKeys For Each subkey In arrSubKeys On error Resume Next Err.Clear On Error Resume Next FN = Wshshell.RegRead("HKCR\CLSID\" & subkey & "\InprocServer32\") FN = WshShell.ExpandEnvironmentStrings(FN) Mess = Mess & vbcrlf & "Subkey --- " & subkey & vbcrlf & FN & vbcrlf Err.Clear FN = "" Next Report.WriteLine "HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers" Report.WriteLine Report.Write Mess Report.Writeline Report.WriteLine "==============================" Dim SU ,s ,f,f1, C SU = Wshshell.SpecialFolders("AllUsersStartup") Report.WriteLine SU Set f = fso.getFolder(SU) Set fc = f.files For Each f1 in fc Set C = fso.GetFile(f1) s = s & C.name & vbcrlf Next Report.Writeline Report.Write s '----------------------------- Report.Writeline "==============================" SU = Wshshell.SpecialFolders("Startup") Report.WriteLine SU Set f = fso.getFolder(SU) Set fc = f.files For Each f1 in fc Set C = fso.GetFile(f1) s = s & C.name & vbcrlf Next Report.Writeline Report.Write s '----------------------------- Report.Writeline "==============================" dim Q, cpl, Sys ,Maker Sys = fso.GetSpecialFolder(1) Report.Writeline Sys & " cpl files" Report.Writeline set f = Fso.getFolder(Sys) set fc =f.files for each f1 in fc IF LCASE(Right(fso.GetFileName(f1),4)) = ".cpl" Then Q = f1.path Q = Replace (Q, "\", "\\") Set cpl = GetObject("winmgmts:root\cimv2").Get _ ("CIM_DataFile.Name=""" & Q & """") Maker = cpl.Manufacturer Q = Replace (Q, "\\", "\") On error resume next Report.write vbcrlf & f1.name & Space(30 - len(f1.name)) & Maker Err.Clear End IF Next Report.close WshShell.run "Notepad Report.txt" Set fso = Nothing Set Maker = Nothing Set Report = Nothing Set cpl = Nothing Set f = Nothing Set fc = Nothing Set C = Nothing Set oReg = Nothing Set Wshshell = Nothing hijack this log dated 4/14 Logfile of HijackThis v1.99.1 Scan saved at 10:39:53 PM, on 4/14/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\HJT\HijackThis.exe F2 - REG:system.ini: UserInit=userinit.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\utilities\movie factory\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe this respond is huge sorry about that ,, i did end up getting ewido to scan there were 1 or 2 logs that i didnt get to save because of having to shuting down my pc.... I couldnt get winpfind to work for some reason and to your question about how my pc is running.. its slower now than its been but i dont get as many pop up ,, but i dont have a popup stopper , so im guessing thats why im getting a few popups

05-04-2006, 04:03 PM	#16 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again You did well. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below. Please create a uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notebook onto your post Click on the zip file attached to this post to open and extract the file babbs.reg to your desktop. Double click on the file babbs.reg to run it. Answer yes to any prompts and allow it to merge into the Registry. Download SilentRunners. Right click & choose Save As --> Save it to Desktop. Make sure you have disabled any programs that may block/disable scripts (like your anti-virus or anti-spyware programs -- if you're going to disable these, then disconnect from the Internet for this step). Double-click Silent Runners to run it. This will take a few minutes, and will create a file called "Startup Programs" followed by your computer name and current date. Open up that file and post all its contents here in your next post. Please run CleanUp! again. Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. File Deletions Delete the following Files indicated in RED if they still exist. c:\windows\system32\close.bmp c:\windows\system32\exclean.exe c:\windows\downloaded program files\f3initialsetup1.0.0.5.inf c:\windows\downloaded program files\UERS_0001_N68M1801NetInstaller.exe c:\ secure32.html <- - Go to Start > Search to find this file c:\windows\smdat32m.sys c:\windows\uniq C:\Program Files\BE Network\bin\context.exe C:\WINDOWS\system32\P2P Networking v126.cpl Reboot Reboot your system in Normal Mode. Online Scan Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note of the name(s) and location(s) of any file(s) it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required Uninstall List SilentRunners Kaspersky Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner Last edited by Glaswegian; 06-18-2006 at 03:43 PM.

05-05-2006, 03:32 AM	#17 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	I cant seem to run Kaspersky webscanner. When I click on the link to it comes up with a accept or decline key after reading the info. but when i click accept it doesnt do anything but if i click on decline it shuts that box down and nothing, is there another scanner i can use or just try later?

05-05-2006, 05:42 AM	#18 (permalink)
babbs Registered User Join Date: Jun 2005 Posts: 34 OS: xp	I just have a simple question about my profile on techsupportforum , is there anyway that i can change my time zone . .i wasnt sure how that GMT went and my time is like 4 hours off ? thanks again for the help

05-05-2006, 05:46 AM	#19 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,940 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi Is your IE working OK? We'll try again later - I'm at work so don't have access to my files. Did SilentRunners go OK? Post whatever logs you now have and we'll take it from there. Click on 'UserCP' at the top left of this page - that's your Control Panel - you can change the time settings in one of the options there. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner