Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
32 Posts
Discussion Starter #1
Hi there! Did all that you mentioned in one of the sticky threads further up, and the computer now says it cannot run a program called nail.exe? Used hijackthis analyzer and here are the results:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 18:13:21, on 13/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Apps\ActivBoard\nhksrv.exe
C:\Logitech\iTouch\iTouch.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Otulboo\Jkrrrjg.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Logitech\iTouch\kbdtray.exe
C:\virus stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: TChkBHO Class - {F8A6E3C5-D158-49C7-A097-288A00FE4316} - C:\WINDOWS\system32\geeks.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
O4 - HKLM\..\Run: [BearShare] "C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE" /pause
O4 - HKLM\..\Run: [XfJQ4J] C:\WINDOWS\sgdmf.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\Hotbar\bin\451~1.0\SBInst.exe
O4 - HKLM\..\Run: [Mrujl] C:\Program Files\Otulboo\Jkrrrjg.exe
O4 - HKLM\..\Run: [media remote proxy team] C:\Documents and Settings\All Users\Application Data\Bows multi media remote\Burn Open.exe
O4 - HKLM\..\Run: [liaidit] c:\windows\system32\ytqbijq.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [4 seek] C:\DOCUME~1\Merrick\APPLIC~1\64DOWN~1\ATOM BLEH.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm080YYGB
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co.uk/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe


End of KRC HijackThis Analyzer Log.
====================================================================

Thanks in advance!
 

·
Manager, The Conversation Pit/Analyst, Security Te
Joined
·
14,513 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us/easyfile/file.php?download=20050711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune.org/downloads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.

Download APT http://www.diamondcs.com.au/index.php?page=apt and unzip the contents to a new folder on your desktop.

* Open the folder you just created and click on apt.exe and search in the window for ytqbijq.exe
* Open your C:\Windows\system32 folder and search for ytqbijq.exe

. Don't delete it yet, just leave the system32 folder open so you can see the bad file.
* In APT again, Select ytqbijq.exe and Click Kill3.
* Then immediately delete ytqbijq.exe from your system32 folder.

Close APT.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: TChkBHO Class - {F8A6E3C5-D158-49C7-A097-288A00FE4316} - C:\WINDOWS\system32\geeks.dll
O4 - HKLM\..\Run: [XfJQ4J] C:\WINDOWS\sgdmf.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\Hotbar\bin\451~1.0\SBInst.exe
O4 - HKLM\..\Run: [Mrujl] C:\Program Files\Otulboo\Jkrrrjg.exe
O4 - HKLM\..\Run: [media remote proxy team] C:\Documents and Settings\All Users\Application Data\Bows multi media remote\Burn Open.exe
O4 - HKLM\..\Run: [liaidit] c:\windows\system32\ytqbijq.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [4 seek] C:\DOCUME~1\Merrick\APPLIC~1\64DOWN~1\ATOM BLEH.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZUxdm080YYGB
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab



Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Locate and delete the following (if they exist)

C:\WINDOWS\Nail.exe
C:\Program Files\MyWay
C:\Program Files\MyWebSearch
C:\WINDOWS\system32\geeks.dll
C:\WINDOWS\sgdmf.exe
C:\PROGRAM FILES\Hotbar
C:\Program Files\Otulboo
C:\Documents and Settings\All Users\Application Data\Bows multi media remote
c:\windows\system32\ytqbijq.exe
C:\Program Files\Messenger Plus! 3
C:\DOCUME~1\Merrick\APPLIC~1\64DOWN~1\ATOM BLEH.exe

Restart your computer.

Download FindIt's.zip http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.
 

·
Registered
Joined
·
32 Posts
Discussion Starter #3
hi there. was following your instructions but i cannot find the ytqbijq.exe file in system32 folder or in apt program. should i carry on?

thanks s
 

·
Manager, The Conversation Pit/Analyst, Security Te
Joined
·
14,513 Posts
Go ahead and proceed on and we'll see what the next HJT log shows us.
 

·
Registered
Joined
·
32 Posts
Discussion Starter #5
OK so been through your list and done as required where possible. THings not done, dsrfix did not bring anything up so i couldn't delete anything, and was unable to download findits.zip. The resat i did and here are the results. Thanks for your continued help!

Ewido security report:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:19:51, 15/10/2005
+ Report-Checksum: ACB22EBA

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{04079851-5845-4dea-848C-3ECD647AA554} -> Spyware.MySearchBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006}\TypeLib\\ -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D9882035-7745-47c7-8D5E-C11178F9C553} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EA232A0A-46F8-4D44-A30B-50321518A828} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Install.Install\CLSID\\ -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\Install.Install.1\CLSID\\ -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006}\TypeLib\\ -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4921DB9C-64EA-430A-ABD2-D016DB5A0AC4}\ProxyStubClsid32\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9603A736-05B9-4D78-BDD5-BDCB0914E522} -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9603A736-05B9-4D78-BDD5-BDCB0914E522}\TypeLib\\ -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9DD19D39-2CDC-465B-BB21-1D433590BA3D} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9DD19D39-2CDC-465B-BB21-1D433590BA3D}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC12B055-C9F5-407D-9B66-1851973F32AF} -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC12B055-C9F5-407D-9B66-1851973F32AF}\TypeLib\\ -> Spyware.WurldMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EA232A0A-46F8-4D44-A30B-50321518A828} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EA232A0A-46F8-4D44-A30B-50321518A828}\ProxyStubClsid32\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerConfig.Application\Clsid\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerConfig.Application.1\Clsid\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{205FF72E-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\FENX -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\FocusInteractive\Outlook\\MyWebSearch.OutlookAddin -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04079851-5845-4dea-848C-3ECD647AA554} -> Spyware.MySearchBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Install.dll\\.Owner -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/Install.dll\\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/internazionale_ver3.ocx\\.Owner -> Spyware.RoingsSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/internazionale_ver3.ocx\\{706F3805-27D7-478D-80E5-E25D2BB030B3} -> Spyware.RoingsSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/objsafe.tlb\\.Owner -> Spyware.RoingsSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/objsafe.tlb\\{706F3805-27D7-478D-80E5-E25D2BB030B3} -> Spyware.RoingsSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Spyware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\BTGrab -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-842925246-602609370-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04079851-5845-4DEA-848C-3ECD647AA554} -> Spyware.MySearchBar : Cleaned with backup
HKU\S-1-5-21-842925246-602609370-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-18\Software\BTGrab -> Spyware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\IESkins -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\reports.txt -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\HostOI -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\HostOI\dynamic -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\HostOI\static -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\HostOL -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\HostOL\dynamic -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\HostOL\static -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\1385502.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\237280.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\2884487.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\ASPL1.dat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\domains.txt -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\hstat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\hstat\31d9.dat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\12776 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\25043 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\26664 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\27060 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\29115 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\32418 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\34237 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\34513 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\4442 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\44878 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\57973 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\69019 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\7521 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\80193 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\83216 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\TooltipXML\95646 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\ustat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\dynamic\ustat\31d9.dat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\ads.cdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\business_promo.htm -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\components.cdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\default.cdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_categorize.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_comparison.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_explorer-Mails.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_fastutilities.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_favorites.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_Games.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_Hide.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_hotbarcom.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_Hotmail.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_hsskin.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_Mails.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_new.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_premium.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_searchfor.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_searchgo.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_weather.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Default_yellowpages.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_1000.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_2000.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_3000.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bar.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar1.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar10.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar11.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar12.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar13.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar14.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar2.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar3.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar4.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar5.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar6.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar7.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar8.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar9.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_logos.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_other.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_x.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\d_icons_weather.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\email-def-511724-9595.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\email-t1-bg.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\hotbar-premium-hotbar-premium.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\hotbar-premium.cdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\hotbar_promo.htm -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\icons2.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\keywords.idx -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\keywords1.dat -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\keywords_idx.idx -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\keywords_sdf.sdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\layout.cdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\linkpathlegal.txt -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\progress.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\s_icons_buttons.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\t2_bg.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\top7.cdf -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\Top7_theweb.mnu -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\1\tsd_bg.res -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\ads.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\business_promo.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\default.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_1000.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_2000.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_3000.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bar.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar1.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar10.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar11.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar12.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar13.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar14.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar2.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar3.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar4.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar5.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar6.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar7.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar8.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar9.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_logos.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_other.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_x.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_weather.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\email-t1-bg.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\hotbar-premium.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\hotbar_promo.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\icons2.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\keywords.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\keywords1.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\keywords_idx.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\keywords_sdf.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\layout.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\linkpathlegal.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\progress.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\samplegroups2.txt -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\samplegroups2.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\s_icons_buttons.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\t2_bg.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\top7.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Alison\Application Data\Hotbar\v3.0\Hotbar\static\DownLoad\tsd_bg.xip -> Spyware.HotBar : Cleaned with backup
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL -> Spyware.FunWeb : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL -> Spyware.Wesbar : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE -> Spyware.Wesbar : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\Otulboo\Jkrrrjg.exe -> Trojan.Small.cy : Cleaned with backup
C:\RECYCLER\S-1-5-21-842925246-602609370-725345543-1007\Dc124.exe -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP34\A0005791.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP34\A0005820.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP34\A0005849.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP34\A0005879.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP35\A0005914.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP35\A0005944.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP36\A0006044.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP36\A0006087.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP36\A0006126.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP39\A0006228.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP39\A0007228.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP39\A0007271.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP39\A0007316.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP39\A0007381.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP40\A0007442.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP41\A0007548.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP41\A0007598.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP42\A0007650.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP42\A0007681.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP42\A0007699.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP42\A0007751.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP43\A0007802.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP43\A0007855.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP43\A0007906.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP44\A0007968.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP44\A0008022.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP44\A0008080.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP44\A0008136.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP44\A0008194.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP44\A0008253.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP44\A0008310.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP45\A0008373.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\System Volume Information\_restore{18538A5F-8FA9-4994-8048-03C88EC8C9C7}\RP45\A0008376.exe -> TrojanDownloader.Swizzor.de : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gbn285.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\uloader.dll -> TrojanDownloader.Xatl.c : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\WINDOWS\system32\geeks.dll -> Spyware.WurldMedia : Cleaned with backup


::Report End

HiJackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 17:36:22, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Logitech\iTouch\kbdtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\virus stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hjnyybhpndqasekkc.com/yD...HwktU13ToqHr_KCbO3IX_ftJ83_MDgI4bNVkzcYI.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: TChkBHO Class - {F8A6E3C5-D158-49C7-A097-288A00FE4316} - C:\WINDOWS\system32\geeks.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
O4 - HKLM\..\Run: [BearShare] "C:\PROGRA~1\BEARSH~1\BEARSH~1.EXE" /pause
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,32
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co.uk/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 

·
Manager, The Conversation Pit/Analyst, Security Te
Joined
·
14,513 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\system32\geeks.dll

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Microsoft Anti Spyware--it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hjnyybhpndqasekkc.com/yD...I4bNVkzcYI.html
O2 - BHO: TChkBHO Class - {F8A6E3C5-D158-49C7-A097-288A00FE4316} - C:\WINDOWS\system32\geeks.dll (file missing)
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sh...bin/AvSniff.cab


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\geeks.dll

Restart and run a new HijackThis scan. Save the log file and post it here.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top