Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter · #1 ·
I know i had winfixer on for awhile. I think I got rid of that - AVG has found a few trojans and ad-aware keeps finding problems. So I am not sure what is left on my machine but pop ups come up pretty regularly. The hijack log is below. I have ad-aware, AVG, ewido, spybot, and cleanup. I hope you can help - thank you for taking the time. First i have included my host file which gets written to regardless if its read only or not - I reset it to default but it just goes back to this:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com
127.0.0.1 idownload.com
127.0.0.1 www.mytotalsearch.com
127.0.0.1 mytotalsearch.com
127.0.0.1 www.lop.com
127.0.0.1 lop.com
127.0.0.1 www.websearch.com
127.0.0.1 websearch.com
127.0.0.1 www.page-not-found.net
127.0.0.1 page-not-found.net
127.0.0.1 www.isearchhere.com
127.0.0.1 isearchhere.com
127.0.0.1 xads.offeroptimizer.comm
127.0.0.1 search.offeroptimizer.com
127.0.0.1 ximages.offeroptimizer.com
127.0.0.1 xlime.offeroptimizer.com
127.0.0.1 xadsj-o.offeroptimizer.com
127.0.0.1 xadsj.offeroptimizer.com
127.0.0.1 www.offeroptimizer.com
127.0.0.1 as.adwave.com
127.0.0.1 sr.adwave.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com EVENT:HOST:127.0.0.1
127.0.0.1 adwave.com EVENT:HOST:127.0.0.1


Here is the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:21:39 AM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\cdplayer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\system32\cdplayer.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINNT\system32\monitorbk.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://staging.ujcfedweb.org/admin/Download/msxml4.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = thorn.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = thorn.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = thorn.net
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O20 - Winlogon Notify: MCD - C:\WINNT\system32\dnps0177e.dll (file missing)
O20 - Winlogon Notify: Nls - C:\WINNT\system32\g2jolc131f.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VXNlcgAA\command.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

## IMPORTANT

# disconnect your computer from the internet before you begin scanning.
# close all unnecessary programs before starting
# do not use your computer as you scan.
 

·
Registered
Joined
·
2 Posts
Discussion Starter · #3 ·
Ok some weird stuff went down - did what you said - Spy Sweeper found a whole bunch of stuff. Reboot - blue screen of death - i unfortuantly don't have the error as someone else was with the machine but think it was with the file i80nwrdr.sys . I went it to safe mode - restarted - on restart - a whole bunch of missing files flashed on a command window and then windows started up. But maybe this actually fixed things. Here are the spy sweeper session log and the new hijackthis log. Thanks for the help

Spy Sweeper session log - the log file was too large to paste the whole thing two lines repeated many many times:

The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com


********
9:06 AM: | Start of Session, Monday, October 24, 2005 |
9:06 AM: Spy Sweeper started
9:06 AM: Sweep initiated using definitions version 560
9:07 AM: Starting Memory Sweep
9:08 AM: Found Adware: icannnews
9:08 AM: Detected running threat: C:\WINNT\system32\gp0ol3d31.dll (ID = 83)
9:14 AM: Detected running threat: C:\WINNT\system32\TRPI32.DLL (ID = 83)
9:16 AM: Found Adware: cas
9:16 AM: Detected running threat: C:\Program Files\System Files\plugin.dll (ID = 161775)
9:20 AM: Memory Sweep Complete, Elapsed Time: 00:13:25
9:20 AM: Starting Registry Sweep
9:20 AM: Found Adware: azsearch toolbar
9:20 AM: HKCR\azentretien.loader\ (5 subtraces) (ID = 103886)
9:20 AM: HKCR\clsid\{0d2def3a-f4f1-42ec-ac4f-132e7ba6e292}\ (11 subtraces) (ID = 103887)
9:20 AM: HKLM\software\azentretienco\ (3 subtraces) (ID = 103905)
9:20 AM: HKLM\software\classes\azentretien.loader.1\ (3 subtraces) (ID = 103909)
9:20 AM: HKLM\software\classes\azentretien.loader\ (5 subtraces) (ID = 103910)
9:20 AM: HKLM\software\classes\clsid\{0d2def3a-f4f1-42ec-ac4f-132e7ba6e292}\ (11 subtraces) (ID = 103911)
9:21 AM: Found Adware: cws-aboutblank
9:21 AM: HKCR\protocols\filter\text/html\ (2 subtraces) (ID = 114343)
9:21 AM: HKLM\software\classes\protocols\filter\text/html\ (2 subtraces) (ID = 115907)
9:22 AM: Found Adware: screensavers
9:22 AM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140550)
9:22 AM: HKCR\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140551)
9:22 AM: HKCR\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140552)
9:22 AM: HKCR\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140553)
9:22 AM: HKCR\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140554)
9:22 AM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (14 subtraces) (ID = 140555)
9:22 AM: HKLM\software\classes\clsid\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (14 subtraces) (ID = 140556)
9:22 AM: HKLM\software\classes\interface\{760aca60-79c3-4875-9d19-b14a5b3fea77}\ (8 subtraces) (ID = 140557)
9:22 AM: HKLM\software\classes\interface\{883ea659-ed80-46f9-9ed2-83327f67789f}\ (8 subtraces) (ID = 140558)
9:22 AM: HKLM\software\classes\interface\{b64c73d7-459e-4816-91f9-1348f8e36984}\ (8 subtraces) (ID = 140559)
9:22 AM: HKLM\software\classes\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140560)
9:22 AM: HKLM\software\classes\screensaversinstaller.installer\ (5 subtraces) (ID = 140561)
9:22 AM: HKLM\software\classes\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140562)
9:22 AM: HKLM\software\classes\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140563)
9:22 AM: HKLM\software\classes\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140564)
9:22 AM: HKLM\software\classes\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140565)
9:22 AM: HKLM\software\microsoft\windows\currentversion\uninstall\screensaversinstaller\ (2 subtraces) (ID = 140568)
9:22 AM: HKLM\software\screensavers.com\ (14 subtraces) (ID = 140569)
9:22 AM: HKCR\screensaversinstaller.installer.1\ (3 subtraces) (ID = 140570)
9:22 AM: HKCR\screensaversinstaller.installer\ (5 subtraces) (ID = 140571)
9:22 AM: HKCR\screensaversinstaller.sinstaller.1\ (3 subtraces) (ID = 140572)
9:22 AM: HKCR\screensaversinstaller.sinstaller.1\clsid\ (1 subtraces) (ID = 140573)
9:22 AM: HKCR\screensaversinstaller.sinstaller\ (5 subtraces) (ID = 140574)
9:22 AM: HKCR\typelib\{0ab5b0d8-2b74-4c1c-8fa4-e52550b8b45b}\ (9 subtraces) (ID = 140575)
9:22 AM: Found Adware: websearch toolbar
9:22 AM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
9:22 AM: Found Adware: visfx
9:22 AM: HKLM\system\currentcontrolset\services\windows overlay components\ (12 subtraces) (ID = 712954)
9:22 AM: Found Adware: clkoptimizer
9:22 AM: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
9:22 AM: HKCR\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862263)
9:22 AM: HKLM\software\classes\clsid\{8253d547-38dd-4325-b35a-f1817edfa5f5}\ (4 subtraces) (ID = 862304)
9:22 AM: HKLM\software\qstat\ || brr (ID = 877670)
9:22 AM: Found Adware: quicklink search toolbar
9:22 AM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
9:22 AM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
9:22 AM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
9:22 AM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
9:22 AM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
9:22 AM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
9:22 AM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
9:22 AM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
9:22 AM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
9:22 AM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
9:22 AM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
9:22 AM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
9:22 AM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
9:22 AM: Found Adware: instant access
9:22 AM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
9:22 AM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
9:22 AM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
9:22 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
9:22 AM: Found Adware: targetsaver
9:22 AM: HKU\S-1-5-21-839522115-1580818891-1343024091-1000\software\tsl2\ (1 subtraces) (ID = 143616)
9:23 AM: HKU\S-1-5-21-839522115-1580818891-1343024091-1000\software\cmsystem\ (8 subtraces) (ID = 820421)
9:23 AM: Found Trojan Horse: trojan-downloader-pacisoft
9:23 AM: HKU\S-1-5-21-839522115-1580818891-1343024091-1000\software\apd123\ (11 subtraces) (ID = 861435)
9:23 AM: HKU\S-1-5-21-839522115-1580818891-1343024091-1000\software\cas2\ (8 subtraces) (ID = 862278)
9:23 AM: Registry Sweep Complete, Elapsed Time:00:02:36
9:23 AM: Starting Cookie Sweep
9:23 AM: Found Spy Cookie: websponsors cookie
9:23 AM: [email protected][2].txt (ID = 3665)
9:23 AM: Found Spy Cookie: yieldmanager cookie
9:23 AM: [email protected][1].txt (ID = 3751)
9:23 AM: Found Spy Cookie: adecn cookie
9:23 AM: [email protected][2].txt (ID = 2063)
9:23 AM: Found Spy Cookie: hbmediapro cookie
9:23 AM: [email protected][2].txt (ID = 2768)
9:23 AM: Found Spy Cookie: adprofile cookie
9:23 AM: [email protected][2].txt (ID = 2084)
9:23 AM: Found Spy Cookie: ask cookie
9:23 AM: [email protected][1].txt (ID = 2245)
9:23 AM: Found Spy Cookie: belnk cookie
9:23 AM: [email protected][2].txt (ID = 2293)
9:23 AM: Found Spy Cookie: atwola cookie
9:23 AM: [email protected][1].txt (ID = 2255)
9:23 AM: Found Spy Cookie: azjmp cookie
9:23 AM: [email protected][2].txt (ID = 2270)
9:23 AM: [email protected][1].txt (ID = 2292)
9:23 AM: Found Spy Cookie: enhance cookie
9:23 AM: [email protected][1].txt (ID = 2614)
9:23 AM: [email protected][2].txt (ID = 2293)
9:23 AM: Found Spy Cookie: 2o7.net cookie
9:23 AM: us[email protected][2].txt (ID = 1958)
9:23 AM: Found Spy Cookie: exitexchange cookie
9:23 AM: [email protected][2].txt (ID = 2633)
9:23 AM: Found Spy Cookie: starware.com cookie
9:23 AM: [email protected][2].txt (ID = 3442)
9:23 AM: Found Spy Cookie: hypertracker.com cookie
9:23 AM: [email protected][1].txt (ID = 2817)
9:23 AM: Found Spy Cookie: top-banners cookie
9:23 AM: [email protected][1].txt (ID = 3548)
9:23 AM: Found Spy Cookie: partypoker cookie
9:23 AM: [email protected][2].txt (ID = 3111)
9:23 AM: Found Spy Cookie: paypopup cookie
9:23 AM: [email protected][1].txt (ID = 3119)
9:23 AM: Found Spy Cookie: rn11 cookie
9:23 AM: [email protected][2].txt (ID = 3261)
9:23 AM: Found Spy Cookie: tribalfusion cookie
9:23 AM: [email protected][2].txt (ID = 3589)
9:23 AM: Found Spy Cookie: burstnet cookie
9:23 AM: [email protected][1].txt (ID = 2337)
9:23 AM: [email protected][1].txt (ID = 3442)
9:23 AM: Cookie Sweep Complete, Elapsed Time: 00:00:09
9:23 AM: Starting File Sweep
9:23 AM: Found Adware: elitebar
9:23 AM: c:\winnt\etb (1 subtraces) (ID = -2147476235)
9:23 AM: c:\program files\quicklinks (2 subtraces) (ID = -2147468660)
9:24 AM: plugin.dll (ID = 161775)
9:24 AM: Found Adware: apropos
9:24 AM: wingenerics.dll (ID = 50187)
9:24 AM: pf78.exe (ID = 156523)
9:28 AM: azesearch.bmp (ID = 50322)
9:28 AM: ptf_0026.exe (ID = 165955)
9:28 AM: pcs_0026.exe (ID = 161706)
9:29 AM: uninst.exe (ID = 73428)
9:29 AM: Found Trojan Horse: trojan-downloader-psyme
9:29 AM: track26[1].chm (ID = 111347)
9:30 AM: qllib.dll (ID = 168233)
9:31 AM: system.#xe (ID = 161776)
9:34 AM: Found Adware: surfsidekick
9:34 AM: repairs302972949.dll (ID = 163735)
9:35 AM: qlutility.exe (ID = 168232)
9:35 AM: Found Trojan Horse: trojan-downloader-mainstreamdollars
9:35 AM: btnetw3-995329.exe (ID = 155333)
9:36 AM: Found Adware: virtualbouncer
9:36 AM: vb2.exe (ID = 164842)
9:37 AM: backup-20051013-163026-187.inf (ID = 50329)
9:37 AM: Found System Monitor: potentially rootkit-masked files
9:37 AM: 0000074d_435914cb_000d213e (ID = 0)
9:37 AM: 00005e14_43592108_0007b4a8 (ID = 0)
9:37 AM: 00002d12_435914c4_0007a0b6 (ID = 0)
9:37 AM: 00001649_435c54cc_00060cfe (ID = 0)
9:37 AM: 00000099_43591421_000bafc6 (ID = 0)
9:37 AM: 0000701f_43591580_00077ae3 (ID = 0)
9:37 AM: 00001547_435c6209_000b54e6 (ID = 0)
9:37 AM: 00000124_43591441_0003fc3e (ID = 0)
9:37 AM: 00005af1_435912ef_000ce8b3 (ID = 0)
9:37 AM: 000041bb_4359130b_000ebf26 (ID = 0)
9:37 AM: 0000440d_43591458_00031d8c (ID = 0)
9:37 AM: 0000153c_435913b9_0006a6a3 (ID = 0)
9:37 AM: 000001eb_4359137e_00061e5b (ID = 0)
9:37 AM: 00000bb3_4359137e_000c13fc (ID = 0)
9:38 AM: 00001a49_43591fc4_0006166e (ID = 0)
9:38 AM: 00000099_43590d45_0005b718 (ID = 0)
9:38 AM: 000041bb_43590c61_00071f94 (ID = 0)
9:38 AM: 00002cd6_435cd5f4_0003c749 (ID = 0)
9:38 AM: 00003bf6_435920c1_00038c43 (ID = 0)
9:38 AM: 00004944_4359212f_000496f1 (ID = 0)
9:38 AM: 00001366_43592163_000a29e3 (ID = 0)
9:38 AM: 000041bb_435cda82_000df70b (ID = 0)
9:38 AM: 00006443_43591530_0009b1f9 (ID = 0)
9:38 AM: 0000491c_43591465_000a1fe6 (ID = 0)
9:38 AM: 000039b3_435914a6_000db130 (ID = 0)
9:38 AM: 00004d06_4359146b_000a1a88 (ID = 0)
9:38 AM: 00003b25_435915df_0009df80 (ID = 0)
9:38 AM: 000026a6_43591571_000b6dd6 (ID = 0)
9:38 AM: 00005d03_43591585_0004afc1 (ID = 0)
9:38 AM: 000012db_43591395_0007d8ae (ID = 0)
9:38 AM: 00000bb3_43590c73_0008214e (ID = 0)
9:38 AM: 00000bb3_435cdae3_00000d33 (ID = 0)
9:38 AM: 00001e1f_435915f5_000353c9 (ID = 0)
9:38 AM: 00007e87_43590ce2_000e3c88 (ID = 0)
9:38 AM: 00004d06_43590e5f_0008659c (ID = 0)
9:38 AM: data.bin (ID = 0)
9:38 AM: vgaueng1.exe (ID = 0)
9:38 AM: 00006784_435c5974_00038d3e (ID = 0)
9:38 AM: 00000ecc_43595951_0003b824 (ID = 0)
9:38 AM: 00007a5a_43591589_000402a9 (ID = 0)
9:38 AM: 0000260d_43591cce_000b48a9 (ID = 0)
9:38 AM: 0000261e_4359526f_0001d483 (ID = 0)
9:38 AM: 0000759a_43591ee7_000bc680 (ID = 0)
9:38 AM: 0000767d_435915a2_000419ee (ID = 0)
9:38 AM: 00002cd6_435c5c9c_000badc3 (ID = 0)
9:38 AM: 00002ea6_43591391_000e5449 (ID = 0)
9:38 AM: 000018d7_43595581_000a63fe (ID = 0)
9:38 AM: 00006be8_43595582_000a699e (ID = 0)
9:38 AM: 000012db_43590c7b_000911e6 (ID = 0)
9:38 AM: 00003a9e_435920d4_00026ff3 (ID = 0)
9:38 AM: 00004d06_435c61fd_00073f6e (ID = 0)
9:38 AM: 00004509_435c647b_000a91de (ID = 0)
9:38 AM: 00004b40_435c6cdb_0002f95b (ID = 0)
9:38 AM: 000066bb_435c6376_000cc7eb (ID = 0)
9:38 AM: 00001238_435c6488_00081adb (ID = 0)
9:38 AM: 00003d6c_435c597f_000ea48c (ID = 0)
9:38 AM: 0000542c_435955f5_000b1b11 (ID = 0)
9:38 AM: 00002ea6_435c5dc8_000239cb (ID = 0)
9:38 AM: 000054de_435c6212_000d35d4 (ID = 0)
9:38 AM: 0000390c_43590cf2_0002ab44 (ID = 0)
9:38 AM: 00006032_43594ecc_0009cbb9 (ID = 0)
9:38 AM: 000026e9_435c5d9a_000b9b1e (ID = 0)
9:38 AM: 00006784_435cd5af_00041896 (ID = 0)
9:38 AM: 00000f3e_43590d38_000f3591 (ID = 0)
9:38 AM: 00005af1_435c54fd_000ca0e4 (ID = 0)
9:38 AM: 000041bb_435c5d98_00060f98 (ID = 0)
9:38 AM: 00004e45_435c6598_00044d41 (ID = 0)
9:38 AM: 00006d22_43595919_0004c7ec (ID = 0)
9:38 AM: 000015a1_43594ee2_00084aee (ID = 0)
9:38 AM: 00002ea6_435cdaeb_000daca6 (ID = 0)
9:38 AM: 000072ae_435c5cad_00026ce8 (ID = 0)
9:38 AM: 00001649_435cd60b_0008b71b (ID = 0)
9:38 AM: 00002213_435c66b3_0003568c (ID = 0)
9:38 AM: 00001916_43595288_00023a04 (ID = 0)
9:38 AM: 00000124_43590d4a_000b7a9c (ID = 0)
9:38 AM: 00004509_435915a2_000a5dcc (ID = 0)
9:38 AM: 00001ad4_43591639_000aa0cc (ID = 0)
9:38 AM: 00006b89_43591dc7_000992b4 (ID = 0)
9:38 AM: 00005f32_435920b8_000ef6a9 (ID = 0)
9:38 AM: 00004db7_43591488_0009d2f1 (ID = 0)
9:38 AM: 00004823_435cd5a2_000c853b (ID = 0)
9:38 AM: 00003ef6_43594ee8_0002c549 (ID = 0)
9:38 AM: 00000822_43594ee8_000b7b0e (ID = 0)
9:38 AM: index (ID = 0)
9:38 AM: 000039b3_435c6332_0003f3b8 (ID = 0)
9:38 AM: 0000390c_435c5dcf_00056f8b (ID = 0)
9:38 AM: 00004db7_435c6209_00027803 (ID = 0)
9:38 AM: 00005878_435c6ce4_000b1e28 (ID = 0)
9:38 AM: 000001eb_435c5da3_00067496 (ID = 0)
9:38 AM: 00002cd6_435c54b5_0006c491 (ID = 0)
9:39 AM: 00002d12_435c6332_0009e959 (ID = 0)
9:39 AM: 00002f14_43595130_000debfb (ID = 0)
9:39 AM: 00007e87_435913bc_0001ac98 (ID = 0)
9:39 AM: 00000fc9_4359562c_0008575b (ID = 0)
9:39 AM: 00006bcb_435955f6_000d9298 (ID = 0)
9:39 AM: 00002e40_43592140_000e970c (ID = 0)
9:39 AM: 0000153c_435cdbc4_0004fed3 (ID = 0)
9:39 AM: 00005991_43594eea_00020cf1 (ID = 0)
9:39 AM: 00000e12_43595631_0000a86c (ID = 0)
9:39 AM: 00000f3e_435913f1_00048506 (ID = 0)
9:39 AM: 00004ae1_435c5978_000e07d1 (ID = 0)
9:39 AM: 00005db2_435950c5_000f3cf4 (ID = 0)
9:39 AM: 000033ea_435950c6_00075068 (ID = 0)
9:39 AM: 0000409d_43594f0a_00088f74 (ID = 0)
9:39 AM: 00006784_43591190_0001121e (ID = 0)
9:39 AM: 00000d66_4359516b_000745ae (ID = 0)
9:39 AM: 00007ff5_435c6596_000aacfe (ID = 0)
9:39 AM: 00000124_435c5e87_00046fa0 (ID = 0)
9:39 AM: 0000323b_435c66a5_0004dd39 (ID = 0)
9:39 AM: 000018be_435cd5ad_00067f3c (ID = 0)
9:39 AM: 000013e9_435950c4_000596d9 (ID = 0)
9:39 AM: 000073da_43594fd5_000f28fe (ID = 0)
9:39 AM: 00003cd5_435950c3_0004f4c0 (ID = 0)
9:39 AM: 00002b0c_435957ae_00050e76 (ID = 0)
9:39 AM: 00001af4_4359594a_00003428 (ID = 0)
9:39 AM: dns (ID = 0)
9:39 AM: 0000390c_435cdbf4_000c50b1 (ID = 0)
9:39 AM: 00006bfc_435c6556_00008f39 (ID = 0)
9:39 AM: 00007f96_435c6595_000798fe (ID = 0)
9:39 AM: 00001ad4_435c6539_0001c186 (ID = 0)
9:39 AM: 00002350_435c6c67_000ef123 (ID = 0)
9:39 AM: 0000759a_435c6c16_00025014 (ID = 0)
9:39 AM: 00004080_435950c4_0007ba83 (ID = 0)
9:39 AM: 00000029_43590bdd_00091ce1 (ID = 0)
9:39 AM: 000016c5_435950ba_000585b8 (ID = 0)
9:39 AM: 0000798b_43594fcd_00027441 (ID = 0)
9:39 AM: 0000305e_43590d69_0008a541 (ID = 0)
9:39 AM: 0000305e_43591453_00076fde (ID = 0)
9:39 AM: 00003e12_435c6fbc_000f0ac6 (ID = 0)
9:39 AM: 00003d6c_435911b2_000618b1 (ID = 0)
9:39 AM: 000018be_43591188_000096e1 (ID = 0)
9:39 AM: 000063cb_43591643_0006dff6 (ID = 0)
9:39 AM: 00002213_43591ccd_00012d33 (ID = 0)
9:39 AM: 00001649_435912a3_00019cb8 (ID = 0)
9:39 AM: 0000440d_43590d6a_0006d574 (ID = 0)
9:39 AM: 00004823_43591174_0009c6dc (ID = 0)
9:39 AM: 0000390c_435913dc_00074464 (ID = 0)
9:39 AM: 00007e87_435cdbf3_0000ae0b (ID = 0)
9:39 AM: 00000ddc_435920ef_00029278 (ID = 0)
9:39 AM: 00006952_435cd608_000437c9 (ID = 0)
9:39 AM: 00005d03_435c6438_000bd921 (ID = 0)
9:39 AM: 00004ae1_43591196_00063ec9 (ID = 0)
9:39 AM: 00004823_435c596b_0007f02e (ID = 0)
9:39 AM: 00005f90_4359128b_000f24a4 (ID = 0)
9:39 AM: 00005f90_435cd609_000e0503 (ID = 0)
9:39 AM: 00001547_4359149d_00089ac3 (ID = 0)
9:39 AM: ace.dll (ID = 0)
9:39 AM: vsdqlwid.exe (ID = 0)
9:39 AM: 00000902_43594fdf_0009447e (ID = 0)
9:39 AM: 00004402_4359557e_000bb330 (ID = 0)
9:39 AM: redsprop.exe (ID = 0)
9:39 AM: 0000366b_4359218f_0009c151 (ID = 0)
9:39 AM: 000018be_43590c01_000ccea3 (ID = 0)
9:39 AM: 0000428b_43591563_0004b419 (ID = 0)
9:39 AM: 00004230_43594ebb_000a7dee (ID = 0)
9:39 AM: 00004dc8_43591503_000a6328 (ID = 0)
9:39 AM: 00007bb9_43594fe7_0005c6a4 (ID = 0)
9:39 AM: 00007f96_43591c05_00088c58 (ID = 0)
9:39 AM: 000054de_4359149d_000e4228 (ID = 0)
9:39 AM: 00004ae1_435c5444_00089044 (ID = 0)
9:39 AM: 00006899_435950bd_00091a53 (ID = 0)
9:39 AM: 00000384_43595484_0008317b (ID = 0)
9:39 AM: 000022cd_4359524c_000a8900 (ID = 0)
9:39 AM: 000071f0_4359538d_000ba0fe (ID = 0)
9:39 AM: 00002833_4359563d_000dc1e6 (ID = 0)
9:39 AM: 00006b36_435c6f8d_0008d05c (ID = 0)
9:39 AM: 00003b25_435c649a_000b403e (ID = 0)
9:39 AM: 00000bdb_43591e28_000a7b61 (ID = 0)
9:39 AM: 00006c69_435951c2_0007cefc (ID = 0)
9:39 AM: 0000288f_435951c2_000d9d80 (ID = 0)
9:39 AM: 0000767d_435c646d_000622e9 (ID = 0)
9:39 AM: 000056ae_435c6b31_00067314 (ID = 0)
9:40 AM: 0000030a_435c66d7_0005cf5b (ID = 0)
9:40 AM: 00001a49_435c6fcb_0001291b (ID = 0)
9:40 AM: 000072ae_435cd606_000cbb30 (ID = 0)
9:40 AM: 0000139d_43594fee_000cf57b (ID = 0)
9:40 AM: 00000029_435c5958_0009d016 (ID = 0)
9:40 AM: 00003d6c_435c547f_00065869 (ID = 0)
9:40 AM: 00004db7_43590f9d_0002b381 (ID = 0)
9:40 AM: 00005dd5_435957b0_00058f11 (ID = 0)
9:40 AM: 00006952_435c5ce6_000e38b9 (ID = 0)
9:40 AM: 00005c67_43595102_000f3403 (ID = 0)
9:40 AM: 0000692c_43594ff4_000d3e59 (ID = 0)
9:40 AM: 0000491c_435c61fa_000e3604 (ID = 0)
9:40 AM: 00001238_435915a8_0008aa20 (ID = 0)
9:40 AM: 00004a80_43594ff9_000ae893 (ID = 0)
9:40 AM: 0000797d_435920db_00090250 (ID = 0)
9:40 AM: 00004cad_435920f0_000bc338 (ID = 0)
9:40 AM: 00000732_43591eda_000ed9fc (ID = 0)
9:40 AM: 00007eb7_43594ec3_000de06c (ID = 0)
9:40 AM: 0000422d_43595169_000936f9 (ID = 0)
9:40 AM: 00006ad6_43595147_000b5efb (ID = 0)
9:40 AM: 00006172_43595294_000c935b (ID = 0)
9:40 AM: 00004df2_4359212a_000e90a8 (ID = 0)
9:40 AM: 00004cd4_435957fa_0002e7fe (ID = 0)
9:40 AM: 00006443_435c635b_00035328 (ID = 0)
9:40 AM: 00005772_43594fe9_0005d1e4 (ID = 0)
9:40 AM: 000022ee_435c6c79_000987e0 (ID = 0)
9:40 AM: 0000074d_435c6348_000139f9 (ID = 0)
9:40 AM: 000060bf_435950e5_000c9458 (ID = 0)
9:40 AM: 000023c9_435950c7_00038410 (ID = 0)
9:40 AM: 000063cb_435c6555_000bff81 (ID = 0)
9:40 AM: 00000029_4359113c_000c36b6 (ID = 0)
9:40 AM: 00006e5d_43591634_000f415b (ID = 0)
9:40 AM: 00006732_43595913_000ee321 (ID = 0)
9:40 AM: 00003cd6_43595103_000ca09e (ID = 0)
9:40 AM: 00005f32_435c6fdf_0004a7fb (ID = 0)
9:40 AM: 0000368e_4359516b_00034c98 (ID = 0)
9:40 AM: 00005f1e_43595636_0006ba2e (ID = 0)
9:40 AM: 00005e9d_43595286_000e6844 (ID = 0)
9:40 AM: i80nwrdr.sys (ID = 0)
9:40 AM: 000075ef_43595178_0007dd0b (ID = 0)
9:40 AM: 00006784_43590c2a_0004b141 (ID = 0)
9:40 AM: 00004ae1_43590c33_000ad983 (ID = 0)
9:40 AM: 00005f90_435c5cec_000ef6f3 (ID = 0)
9:40 AM: 000032e6_43595295_000d0e56 (ID = 0)
9:40 AM: 00004823_43590be9_000f2ee4 (ID = 0)
9:40 AM: 00002350_43591ee8_000279e1 (ID = 0)
9:40 AM: 00003d6c_43590c35_0000f60b (ID = 0)
9:40 AM: 00002cd6_43590c37_000856fe (ID = 0)
9:40 AM: 000001eb_43590c65_000587c6 (ID = 0)
9:40 AM: 00006952_43590c42_000d518c (ID = 0)
9:40 AM: 00000099_435c5e7e_0006aee6 (ID = 0)
9:40 AM: 00002cd6_435911eb_000311fe (ID = 0)
9:40 AM: 00006952_43591286_000a9a13 (ID = 0)
9:40 AM: 00006df1_435912c4_0002cbb3 (ID = 0)
9:40 AM: 00001649_43590c4d_000527e4 (ID = 0)
9:40 AM: 00007f4f_43595484_000b18bc (ID = 0)
9:40 AM: 00006df1_43590c50_000ed940 (ID = 0)
9:40 AM: 0000260d_435c66bd_00095d50 (ID = 0)
9:40 AM: 000022ee_43591ee8_00056123 (ID = 0)
9:40 AM: 00004b40_43591f0f_0000e35b (ID = 0)
9:40 AM: 00005af1_43590c61_0002ff60 (ID = 0)
9:40 AM: 00005878_43591f0f_0006d8fc (ID = 0)
9:40 AM: 0000153c_43590c80_000adc54 (ID = 0)
9:40 AM: 00000bdb_435c6b1a_000caaee (ID = 0)
9:40 AM: 00006b36_43591f10_0002702b (ID = 0)
9:40 AM: ai_24-10-2005.log (ID = 0)
9:40 AM: ai_21-10-2005.log (ID = 0)
9:40 AM: 000072ae_43590c38_0007c024 (ID = 0)
9:40 AM: 00005f90_43590c4b_000cc094 (ID = 0)
9:40 AM: 000026e9_43590c63_000e324b (ID = 0)
9:40 AM: 00002ea6_43590c79_0003fbbb (ID = 0)
9:40 AM: 0000491c_43590e5e_000e2e80 (ID = 0)
9:40 AM: 00001547_43590fa3_00060ac0 (ID = 0)
9:40 AM: 0000301c_435c6a58_000eab8c (ID = 0)
9:40 AM: 00007ff5_43591c0f_000f2f94 (ID = 0)
9:40 AM: 0000323b_43591ccc_000ec124 (ID = 0)
9:40 AM: 0000030a_43591dd6_0001cdc9 (ID = 0)
9:40 AM: 0000301c_43591dd6_00043fb0 (ID = 0)
9:40 AM: 0000249e_435956e9_0009701b (ID = 0)
9:40 AM: 00001cd0_43592168_000ae27c (ID = 0)
9:40 AM: 00005422_43594ee8_0000c8be (ID = 0)
9:40 AM: 00004823_435c5404_000812fb (ID = 0)
9:41 AM: 00003699_43594fdc_00053a88 (ID = 0)
9:41 AM: 0000187e_435950ba_0003d769 (ID = 0)
9:41 AM: 000048cc_435950c7_00064433 (ID = 0)
9:41 AM: 00000fbf_43595108_000cbcbe (ID = 0)
9:41 AM: 0000047e_43595165_0008ab1e (ID = 0)
9:41 AM: 00002c49_435951a3_0007209c (ID = 0)
9:41 AM: 000054dc_4359516b_000213a4 (ID = 0)
9:41 AM: 00004657_43595179_0004ad2c (ID = 0)
9:41 AM: 00003a61_435951c6_000db400 (ID = 0)
9:41 AM: 00007dd1_4359526d_000685f1 (ID = 0)
9:41 AM: 00005039_435955f1_0004e7d1 (ID = 0)
9:41 AM: 0000489c_43595287_000a74ce (ID = 0)
9:41 AM: 00006b72_43595295_000718b4 (ID = 0)
9:41 AM: 00007874_4359566c_00021b6b (ID = 0)
9:41 AM: 00000677_4359557e_00003d48 (ID = 0)
9:41 AM: 00001953_435955f6_0005a06b (ID = 0)
9:41 AM: 000011f4_435957af_00058971 (ID = 0)
9:41 AM: 00005a9f_435957f9_000e0a09 (ID = 0)
9:41 AM: 0000127e_43595857_000e6c7b (ID = 0)
9:41 AM: 000007cf_43595859_000b9079 (ID = 0)
9:41 AM: ai_23-10-2005.log (ID = 0)
9:41 AM: 00000029_435c5402_000cc469 (ID = 0)
9:41 AM: 00005f90_435c54c2_0002ed7c (ID = 0)
9:41 AM: 000018be_435c5973_000debb1 (ID = 0)
9:41 AM: 00006df1_435c5cf1_00017981 (ID = 0)
9:41 AM: 000012db_435c5dcb_0003d1db (ID = 0)
9:41 AM: 0000153c_435c5dcb_000a15b9 (ID = 0)
9:41 AM: 00007e87_435c5dcb_000beb26 (ID = 0)
9:41 AM: 0000701f_435c63e5_000c9f46 (ID = 0)
9:41 AM: 00006e5d_435c64bf_000e5b26 (ID = 0)
9:41 AM: 000012db_435cdbba_000e8e2c (ID = 0)
9:41 AM: File Sweep Complete, Elapsed Time: 00:18:24
9:41 AM: Full Sweep has completed. Elapsed time 00:35:00
9:41 AM: Traces Found: 746
10:25 AM: Removal process initiated
10:26 AM: Quarantining All Traces: potentially rootkit-masked files
10:46 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
10:46 AM: 0000074d_435914cb_000d213e is in use. It will be removed on reboot.
10:46 AM: 00005e14_43592108_0007b4a8 is in use. It will be removed on reboot.
10:46 AM: 00002d12_435914c4_0007a0b6 is in use. It will be removed on reboot.
10:46 AM: 00001649_435c54cc_00060cfe is in use. It will be removed on reboot.
10:46 AM: 00000099_43591421_000bafc6 is in use. It will be removed on reboot.
10:46 AM: 0000701f_43591580_00077ae3 is in use. It will be removed on reboot.
10:46 AM: 00001547_435c6209_000b54e6 is in use. It will be removed on reboot.
10:46 AM: 00000124_43591441_0003fc3e is in use. It will be removed on reboot.
10:46 AM: 00005af1_435912ef_000ce8b3 is in use. It will be removed on reboot.
10:46 AM: 000041bb_4359130b_000ebf26 is in use. It will be removed on reboot.
10:46 AM: 0000440d_43591458_00031d8c is in use. It will be removed on reboot.
10:46 AM: 0000153c_435913b9_0006a6a3 is in use. It will be removed on reboot.
10:46 AM: 000001eb_4359137e_00061e5b is in use. It will be removed on reboot.
10:46 AM: 00000bb3_4359137e_000c13fc is in use. It will be removed on reboot.
10:46 AM: 00001a49_43591fc4_0006166e is in use. It will be removed on reboot.
10:46 AM: 00000099_43590d45_0005b718 is in use. It will be removed on reboot.
10:46 AM: 000041bb_43590c61_00071f94 is in use. It will be removed on reboot.
10:46 AM: 00002cd6_435cd5f4_0003c749 is in use. It will be removed on reboot.
10:46 AM: 00003bf6_435920c1_00038c43 is in use. It will be removed on reboot.
10:46 AM: 00004944_4359212f_000496f1 is in use. It will be removed on reboot.
10:46 AM: 00001366_43592163_000a29e3 is in use. It will be removed on reboot.
10:46 AM: 000041bb_435cda82_000df70b is in use. It will be removed on reboot.
10:46 AM: 00006443_43591530_0009b1f9 is in use. It will be removed on reboot.
10:46 AM: 0000491c_43591465_000a1fe6 is in use. It will be removed on reboot.
10:46 AM: 000039b3_435914a6_000db130 is in use. It will be removed on reboot.
10:46 AM: 00004d06_4359146b_000a1a88 is in use. It will be removed on reboot.
10:46 AM: 00003b25_435915df_0009df80 is in use. It will be removed on reboot.
10:46 AM: 000026a6_43591571_000b6dd6 is in use. It will be removed on reboot.
10:46 AM: 00005d03_43591585_0004afc1 is in use. It will be removed on reboot.
10:46 AM: 000012db_43591395_0007d8ae is in use. It will be removed on reboot.
10:46 AM: 00000bb3_43590c73_0008214e is in use. It will be removed on reboot.
10:46 AM: 00000bb3_435cdae3_00000d33 is in use. It will be removed on reboot.
10:46 AM: 00001e1f_435915f5_000353c9 is in use. It will be removed on reboot.
10:46 AM: 00007e87_43590ce2_000e3c88 is in use. It will be removed on reboot.
10:46 AM: 00004d06_43590e5f_0008659c is in use. It will be removed on reboot.
10:46 AM: data.bin is in use. It will be removed on reboot.
10:46 AM: vgaueng1.exe is in use. It will be removed on reboot.
10:46 AM: 00006784_435c5974_00038d3e is in use. It will be removed on reboot.
10:46 AM: 00000ecc_43595951_0003b824 is in use. It will be removed on reboot.
10:46 AM: 00007a5a_43591589_000402a9 is in use. It will be removed on reboot.
10:46 AM: 0000260d_43591cce_000b48a9 is in use. It will be removed on reboot.
10:46 AM: 0000261e_4359526f_0001d483 is in use. It will be removed on reboot.
10:46 AM: 0000759a_43591ee7_000bc680 is in use. It will be removed on reboot.
10:46 AM: 0000767d_435915a2_000419ee is in use. It will be removed on reboot.
10:46 AM: 00002cd6_435c5c9c_000badc3 is in use. It will be removed on reboot.
10:46 AM: 00002ea6_43591391_000e5449 is in use. It will be removed on reboot.
10:46 AM: 000018d7_43595581_000a63fe is in use. It will be removed on reboot.
10:46 AM: 00006be8_43595582_000a699e is in use. It will be removed on reboot.
10:46 AM: 000012db_43590c7b_000911e6 is in use. It will be removed on reboot.
10:46 AM: 00003a9e_435920d4_00026ff3 is in use. It will be removed on reboot.
10:46 AM: 00004d06_435c61fd_00073f6e is in use. It will be removed on reboot.
10:46 AM: 00004509_435c647b_000a91de is in use. It will be removed on reboot.
10:46 AM: 00004b40_435c6cdb_0002f95b is in use. It will be removed on reboot.
10:46 AM: 000066bb_435c6376_000cc7eb is in use. It will be removed on reboot.
10:46 AM: 00001238_435c6488_00081adb is in use. It will be removed on reboot.
10:46 AM: 00003d6c_435c597f_000ea48c is in use. It will be removed on reboot.
10:46 AM: 0000542c_435955f5_000b1b11 is in use. It will be removed on reboot.
10:46 AM: 00002ea6_435c5dc8_000239cb is in use. It will be removed on reboot.
10:46 AM: 000054de_435c6212_000d35d4 is in use. It will be removed on reboot.
10:46 AM: 0000390c_43590cf2_0002ab44 is in use. It will be removed on reboot.
10:46 AM: 00006032_43594ecc_0009cbb9 is in use. It will be removed on reboot.
10:46 AM: 000026e9_435c5d9a_000b9b1e is in use. It will be removed on reboot.
10:46 AM: 00006784_435cd5af_00041896 is in use. It will be removed on reboot.
10:46 AM: 00000f3e_43590d38_000f3591 is in use. It will be removed on reboot.
10:46 AM: 00005af1_435c54fd_000ca0e4 is in use. It will be removed on reboot.
10:46 AM: 000041bb_435c5d98_00060f98 is in use. It will be removed on reboot.
10:46 AM: 00004e45_435c6598_00044d41 is in use. It will be removed on reboot.
10:46 AM: 00006d22_43595919_0004c7ec is in use. It will be removed on reboot.
10:46 AM: 000015a1_43594ee2_00084aee is in use. It will be removed on reboot.
10:46 AM: 00002ea6_435cdaeb_000daca6 is in use. It will be removed on reboot.
10:46 AM: 000072ae_435c5cad_00026ce8 is in use. It will be removed on reboot.
10:46 AM: 00001649_435cd60b_0008b71b is in use. It will be removed on reboot.
10:46 AM: 00002213_435c66b3_0003568c is in use. It will be removed on reboot.
10:46 AM: 00001916_43595288_00023a04 is in use. It will be removed on reboot.
10:46 AM: 00000124_43590d4a_000b7a9c is in use. It will be removed on reboot.
10:46 AM: 00004509_435915a2_000a5dcc is in use. It will be removed on reboot.
10:46 AM: 00001ad4_43591639_000aa0cc is in use. It will be removed on reboot.
10:46 AM: 00006b89_43591dc7_000992b4 is in use. It will be removed on reboot.
10:46 AM: 00005f32_435920b8_000ef6a9 is in use. It will be removed on reboot.
10:46 AM: 00004db7_43591488_0009d2f1 is in use. It will be removed on reboot.
10:46 AM: 00004823_435cd5a2_000c853b is in use. It will be removed on reboot.
10:46 AM: 00003ef6_43594ee8_0002c549 is in use. It will be removed on reboot.
10:46 AM: 00000822_43594ee8_000b7b0e is in use. It will be removed on reboot.
10:46 AM: index is in use. It will be removed on reboot.
10:46 AM: 000039b3_435c6332_0003f3b8 is in use. It will be removed on reboot.
10:46 AM: 0000390c_435c5dcf_00056f8b is in use. It will be removed on reboot.
10:46 AM: 00004db7_435c6209_00027803 is in use. It will be removed on reboot.
10:46 AM: 00005878_435c6ce4_000b1e28 is in use. It will be removed on reboot.
10:46 AM: 000001eb_435c5da3_00067496 is in use. It will be removed on reboot.
10:46 AM: 00002cd6_435c54b5_0006c491 is in use. It will be removed on reboot.
10:46 AM: 00002d12_435c6332_0009e959 is in use. It will be removed on reboot.
10:46 AM: 00002f14_43595130_000debfb is in use. It will be removed on reboot.
10:46 AM: 00007e87_435913bc_0001ac98 is in use. It will be removed on reboot.
10:46 AM: 00000fc9_4359562c_0008575b is in use. It will be removed on reboot.
10:46 AM: 00006bcb_435955f6_000d9298 is in use. It will be removed on reboot.
10:46 AM: 00002e40_43592140_000e970c is in use. It will be removed on reboot.
10:46 AM: 0000153c_435cdbc4_0004fed3 is in use. It will be removed on reboot.
10:46 AM: 00005991_43594eea_00020cf1 is in use. It will be removed on reboot.
10:46 AM: 00000e12_43595631_0000a86c is in use. It will be removed on reboot.
10:46 AM: 00000f3e_435913f1_00048506 is in use. It will be removed on reboot.
10:46 AM: 00004ae1_435c5978_000e07d1 is in use. It will be removed on reboot.
10:46 AM: 00005db2_435950c5_000f3cf4 is in use. It will be removed on reboot.
10:46 AM: 000033ea_435950c6_00075068 is in use. It will be removed on reboot.
10:46 AM: 0000409d_43594f0a_00088f74 is in use. It will be removed on reboot.
10:46 AM: 00006784_43591190_0001121e is in use. It will be removed on reboot.
10:46 AM: 00000d66_4359516b_000745ae is in use. It will be removed on reboot.
10:46 AM: 00007ff5_435c6596_000aacfe is in use. It will be removed on reboot.
10:46 AM: 00000124_435c5e87_00046fa0 is in use. It will be removed on reboot.
10:46 AM: 0000323b_435c66a5_0004dd39 is in use. It will be removed on reboot.
10:46 AM: 000018be_435cd5ad_00067f3c is in use. It will be removed on reboot.
10:46 AM: 000013e9_435950c4_000596d9 is in use. It will be removed on reboot.
10:46 AM: 000073da_43594fd5_000f28fe is in use. It will be removed on reboot.
10:46 AM: 00003cd5_435950c3_0004f4c0 is in use. It will be removed on reboot.
10:46 AM: 00002b0c_435957ae_00050e76 is in use. It will be removed on reboot.
10:46 AM: 00001af4_4359594a_00003428 is in use. It will be removed on reboot.
10:46 AM: dns is in use. It will be removed on reboot.
10:46 AM: 0000390c_435cdbf4_000c50b1 is in use. It will be removed on reboot.
10:46 AM: 00006bfc_435c6556_00008f39 is in use. It will be removed on reboot.
10:46 AM: 00007f96_435c6595_000798fe is in use. It will be removed on reboot.
10:46 AM: 00001ad4_435c6539_0001c186 is in use. It will be removed on reboot.
10:46 AM: 00002350_435c6c67_000ef123 is in use. It will be removed on reboot.
10:46 AM: 0000759a_435c6c16_00025014 is in use. It will be removed on reboot.
10:46 AM: 00004080_435950c4_0007ba83 is in use. It will be removed on reboot.
10:46 AM: 00000029_43590bdd_00091ce1 is in use. It will be removed on reboot.
10:46 AM: 000016c5_435950ba_000585b8 is in use. It will be removed on reboot.
10:46 AM: 0000798b_43594fcd_00027441 is in use. It will be removed on reboot.
10:46 AM: 0000305e_43590d69_0008a541 is in use. It will be removed on reboot.
10:46 AM: 0000305e_43591453_00076fde is in use. It will be removed on reboot.
10:46 AM: 00003e12_435c6fbc_000f0ac6 is in use. It will be removed on reboot.
10:46 AM: 00003d6c_435911b2_000618b1 is in use. It will be removed on reboot.
10:46 AM: 000018be_43591188_000096e1 is in use. It will be removed on reboot.
10:46 AM: 000063cb_43591643_0006dff6 is in use. It will be removed on reboot.
10:46 AM: 00002213_43591ccd_00012d33 is in use. It will be removed on reboot.
10:46 AM: 00001649_435912a3_00019cb8 is in use. It will be removed on reboot.
10:46 AM: 0000440d_43590d6a_0006d574 is in use. It will be removed on reboot.
10:46 AM: 00004823_43591174_0009c6dc is in use. It will be removed on reboot.
10:46 AM: 0000390c_435913dc_00074464 is in use. It will be removed on reboot.
10:46 AM: 00007e87_435cdbf3_0000ae0b is in use. It will be removed on reboot.
10:46 AM: 00000ddc_435920ef_00029278 is in use. It will be removed on reboot.
10:46 AM: 00006952_435cd608_000437c9 is in use. It will be removed on reboot.
10:46 AM: 00005d03_435c6438_000bd921 is in use. It will be removed on reboot.
10:46 AM: 00004ae1_43591196_00063ec9 is in use. It will be removed on reboot.
10:46 AM: 00004823_435c596b_0007f02e is in use. It will be removed on reboot.
10:46 AM: 00005f90_4359128b_000f24a4 is in use. It will be removed on reboot.
10:46 AM: 00005f90_435cd609_000e0503 is in use. It will be removed on reboot.
10:46 AM: 00001547_4359149d_00089ac3 is in use. It will be removed on reboot.
10:46 AM: ace.dll is in use. It will be removed on reboot.
10:46 AM: vsdqlwid.exe is in use. It will be removed on reboot.
10:46 AM: 00000902_43594fdf_0009447e is in use. It will be removed on reboot.
10:46 AM: 00004402_4359557e_000bb330 is in use. It will be removed on reboot.
10:46 AM: redsprop.exe is in use. It will be removed on reboot.
10:46 AM: 0000366b_4359218f_0009c151 is in use. It will be removed on reboot.
10:46 AM: 000018be_43590c01_000ccea3 is in use. It will be removed on reboot.
10:46 AM: 0000428b_43591563_0004b419 is in use. It will be removed on reboot.
10:46 AM: 00004230_43594ebb_000a7dee is in use. It will be removed on reboot.
10:46 AM: 00004dc8_43591503_000a6328 is in use. It will be removed on reboot.
10:46 AM: 00007bb9_43594fe7_0005c6a4 is in use. It will be removed on reboot.
10:46 AM: 00007f96_43591c05_00088c58 is in use. It will be removed on reboot.
10:46 AM: 000054de_4359149d_000e4228 is in use. It will be removed on reboot.
10:46 AM: 00004ae1_435c5444_00089044 is in use. It will be removed on reboot.
10:46 AM: 00006899_435950bd_00091a53 is in use. It will be removed on reboot.
10:46 AM: 00000384_43595484_0008317b is in use. It will be removed on reboot.
10:46 AM: 000022cd_4359524c_000a8900 is in use. It will be removed on reboot.
10:46 AM: 000071f0_4359538d_000ba0fe is in use. It will be removed on reboot.
10:46 AM: 00002833_4359563d_000dc1e6 is in use. It will be removed on reboot.
10:46 AM: 00006b36_435c6f8d_0008d05c is in use. It will be removed on reboot.
10:46 AM: 00003b25_435c649a_000b403e is in use. It will be removed on reboot.
10:46 AM: 00000bdb_43591e28_000a7b61 is in use. It will be removed on reboot.
10:46 AM: 00006c69_435951c2_0007cefc is in use. It will be removed on reboot.
10:46 AM: 0000288f_435951c2_000d9d80 is in use. It will be removed on reboot.
10:46 AM: 0000767d_435c646d_000622e9 is in use. It will be removed on reboot.
10:46 AM: 000056ae_435c6b31_00067314 is in use. It will be removed on reboot.
10:46 AM: 0000030a_435c66d7_0005cf5b is in use. It will be removed on reboot.
10:46 AM: 00001a49_435c6fcb_0001291b is in use. It will be removed on reboot.
10:46 AM: 000072ae_435cd606_000cbb30 is in use. It will be removed on reboot.
10:46 AM: 0000139d_43594fee_000cf57b is in use. It will be removed on reboot.
10:46 AM: 00000029_435c5958_0009d016 is in use. It will be removed on reboot.
10:46 AM: 00003d6c_435c547f_00065869 is in use. It will be removed on reboot.
10:46 AM: 00004db7_43590f9d_0002b381 is in use. It will be removed on reboot.
10:46 AM: 00005dd5_435957b0_00058f11 is in use. It will be removed on reboot.
10:46 AM: 00006952_435c5ce6_000e38b9 is in use. It will be removed on reboot.
10:46 AM: 00005c67_43595102_000f3403 is in use. It will be removed on reboot.
10:46 AM: 0000692c_43594ff4_000d3e59 is in use. It will be removed on reboot.
10:46 AM: 0000491c_435c61fa_000e3604 is in use. It will be removed on reboot.
10:46 AM: 00001238_435915a8_0008aa20 is in use. It will be removed on reboot.
10:46 AM: 00004a80_43594ff9_000ae893 is in use. It will be removed on reboot.
10:46 AM: 0000797d_435920db_00090250 is in use. It will be removed on reboot.
10:46 AM: 00004cad_435920f0_000bc338 is in use. It will be removed on reboot.
10:46 AM: 00000732_43591eda_000ed9fc is in use. It will be removed on reboot.
10:46 AM: 00007eb7_43594ec3_000de06c is in use. It will be removed on reboot.
10:46 AM: 0000422d_43595169_000936f9 is in use. It will be removed on reboot.
10:46 AM: 00006ad6_43595147_000b5efb is in use. It will be removed on reboot.
10:46 AM: 00006172_43595294_000c935b is in use. It will be removed on reboot.
10:46 AM: 00004df2_4359212a_000e90a8 is in use. It will be removed on reboot.
10:46 AM: 00004cd4_435957fa_0002e7fe is in use. It will be removed on reboot.
10:46 AM: 00006443_435c635b_00035328 is in use. It will be removed on reboot.
10:46 AM: 00005772_43594fe9_0005d1e4 is in use. It will be removed on reboot.
10:46 AM: 000022ee_435c6c79_000987e0 is in use. It will be removed on reboot.
10:46 AM: 0000074d_435c6348_000139f9 is in use. It will be removed on reboot.
10:46 AM: 000060bf_435950e5_000c9458 is in use. It will be removed on reboot.
10:46 AM: 000023c9_435950c7_00038410 is in use. It will be removed on reboot.
10:46 AM: 000063cb_435c6555_000bff81 is in use. It will be removed on reboot.
10:46 AM: 00000029_4359113c_000c36b6 is in use. It will be removed on reboot.
10:46 AM: 00006e5d_43591634_000f415b is in use. It will be removed on reboot.
10:46 AM: 00006732_43595913_000ee321 is in use. It will be removed on reboot.
10:46 AM: 00003cd6_43595103_000ca09e is in use. It will be removed on reboot.
10:46 AM: 00005f32_435c6fdf_0004a7fb is in use. It will be removed on reboot.
10:46 AM: 0000368e_4359516b_00034c98 is in use. It will be removed on reboot.
10:46 AM: 00005f1e_43595636_0006ba2e is in use. It will be removed on reboot.
10:46 AM: 00005e9d_43595286_000e6844 is in use. It will be removed on reboot.
10:46 AM: i80nwrdr.sys is in use. It will be removed on reboot.
10:46 AM: 000075ef_43595178_0007dd0b is in use. It will be removed on reboot.
10:46 AM: 00006784_43590c2a_0004b141 is in use. It will be removed on reboot.
10:46 AM: 00004ae1_43590c33_000ad983 is in use. It will be removed on reboot.
10:46 AM: 00005f90_435c5cec_000ef6f3 is in use. It will be removed on reboot.
10:46 AM: 000032e6_43595295_000d0e56 is in use. It will be removed on reboot.
10:46 AM: 00004823_43590be9_000f2ee4 is in use. It will be removed on reboot.
10:46 AM: 00002350_43591ee8_000279e1 is in use. It will be removed on reboot.
10:46 AM: 00003d6c_43590c35_0000f60b is in use. It will be removed on reboot.
10:46 AM: 00002cd6_43590c37_000856fe is in use. It will be removed on reboot.
10:46 AM: 000001eb_43590c65_000587c6 is in use. It will be removed on reboot.
10:46 AM: 00006952_43590c42_000d518c is in use. It will be removed on reboot.
10:46 AM: 00000099_435c5e7e_0006aee6 is in use. It will be removed on reboot.
10:46 AM: 00002cd6_435911eb_000311fe is in use. It will be removed on reboot.
10:46 AM: 00006952_43591286_000a9a13 is in use. It will be removed on reboot.
10:46 AM: 00006df1_435912c4_0002cbb3 is in use. It will be removed on reboot.
10:46 AM: 00001649_43590c4d_000527e4 is in use. It will be removed on reboot.
10:46 AM: 00007f4f_43595484_000b18bc is in use. It will be removed on reboot.
10:46 AM: 00006df1_43590c50_000ed940 is in use. It will be removed on reboot.
10:46 AM: 0000260d_435c66bd_00095d50 is in use. It will be removed on reboot.
10:46 AM: 000022ee_43591ee8_00056123 is in use. It will be removed on reboot.
10:46 AM: 00004b40_43591f0f_0000e35b is in use. It will be removed on reboot.
10:46 AM: 00005af1_43590c61_0002ff60 is in use. It will be removed on reboot.
10:46 AM: 00005878_43591f0f_0006d8fc is in use. It will be removed on reboot.
10:46 AM: 0000153c_43590c80_000adc54 is in use. It will be removed on reboot.
10:46 AM: 00000bdb_435c6b1a_000caaee is in use. It will be removed on reboot.
10:46 AM: 00006b36_43591f10_0002702b is in use. It will be removed on reboot.
10:46 AM: ai_24-10-2005.log is in use. It will be removed on reboot.
10:46 AM: ai_21-10-2005.log is in use. It will be removed on reboot.
10:46 AM: 000072ae_43590c38_0007c024 is in use. It will be removed on reboot.
10:46 AM: 00005f90_43590c4b_000cc094 is in use. It will be removed on reboot.
10:46 AM: 000026e9_43590c63_000e324b is in use. It will be removed on reboot.
10:46 AM: 00002ea6_43590c79_0003fbbb is in use. It will be removed on reboot.
10:46 AM: 0000491c_43590e5e_000e2e80 is in use. It will be removed on reboot.
10:46 AM: 00001547_43590fa3_00060ac0 is in use. It will be removed on reboot.
10:46 AM: 0000301c_435c6a58_000eab8c is in use. It will be removed on reboot.
10:46 AM: 00007ff5_43591c0f_000f2f94 is in use. It will be removed on reboot.
10:46 AM: 0000323b_43591ccc_000ec124 is in use. It will be removed on reboot.
10:46 AM: 0000030a_43591dd6_0001cdc9 is in use. It will be removed on reboot.
10:46 AM: 0000301c_43591dd6_00043fb0 is in use. It will be removed on reboot.
10:46 AM: 0000249e_435956e9_0009701b is in use. It will be removed on reboot.
10:46 AM: 00001cd0_43592168_000ae27c is in use. It will be removed on reboot.
10:46 AM: 00005422_43594ee8_0000c8be is in use. It will be removed on reboot.
10:46 AM: 00004823_435c5404_000812fb is in use. It will be removed on reboot.
10:46 AM: 00003699_43594fdc_00053a88 is in use. It will be removed on reboot.
10:46 AM: 0000187e_435950ba_0003d769 is in use. It will be removed on reboot.
10:46 AM: 000048cc_435950c7_00064433 is in use. It will be removed on reboot.
10:46 AM: 00000fbf_43595108_000cbcbe is in use. It will be removed on reboot.
10:46 AM: 0000047e_43595165_0008ab1e is in use. It will be removed on reboot.
10:46 AM: 00002c49_435951a3_0007209c is in use. It will be removed on reboot.
10:46 AM: 000054dc_4359516b_000213a4 is in use. It will be removed on reboot.
10:46 AM: 00004657_43595179_0004ad2c is in use. It will be removed on reboot.
10:46 AM: 00003a61_435951c6_000db400 is in use. It will be removed on reboot.
10:46 AM: 00007dd1_4359526d_000685f1 is in use. It will be removed on reboot.
10:46 AM: 00005039_435955f1_0004e7d1 is in use. It will be removed on reboot.
10:46 AM: 0000489c_43595287_000a74ce is in use. It will be removed on reboot.
10:46 AM: 00006b72_43595295_000718b4 is in use. It will be removed on reboot.
10:46 AM: 00007874_4359566c_00021b6b is in use. It will be removed on reboot.
10:46 AM: 00000677_4359557e_00003d48 is in use. It will be removed on reboot.
10:46 AM: 00001953_435955f6_0005a06b is in use. It will be removed on reboot.
10:46 AM: 000011f4_435957af_00058971 is in use. It will be removed on reboot.
10:46 AM: 00005a9f_435957f9_000e0a09 is in use. It will be removed on reboot.
10:46 AM: 0000127e_43595857_000e6c7b is in use. It will be removed on reboot.
10:46 AM: 000007cf_43595859_000b9079 is in use. It will be removed on reboot.
10:46 AM: ai_23-10-2005.log is in use. It will be removed on reboot.
10:46 AM: 00000029_435c5402_000cc469 is in use. It will be removed on reboot.
10:46 AM: 00005f90_435c54c2_0002ed7c is in use. It will be removed on reboot.
10:46 AM: 000018be_435c5973_000debb1 is in use. It will be removed on reboot.
10:46 AM: 00006df1_435c5cf1_00017981 is in use. It will be removed on reboot.
10:46 AM: 000012db_435c5dcb_0003d1db is in use. It will be removed on reboot.
10:46 AM: 0000153c_435c5dcb_000a15b9 is in use. It will be removed on reboot.
10:46 AM: 00007e87_435c5dcb_000beb26 is in use. It will be removed on reboot.
10:46 AM: 0000701f_435c63e5_000c9f46 is in use. It will be removed on reboot.
10:46 AM: 00006e5d_435c64bf_000e5b26 is in use. It will be removed on reboot.
10:46 AM: 000012db_435cdbba_000e8e2c is in use. It will be removed on reboot.
10:46 AM: Quarantining All Traces: elitebar
10:46 AM: Quarantining All Traces: visfx
10:46 AM: Quarantining All Traces: websearch toolbar
10:46 AM: Quarantining All Traces: clkoptimizer
10:46 AM: Quarantining All Traces: cws-aboutblank
10:46 AM: Quarantining All Traces: surfsidekick
10:46 AM: Quarantining All Traces: trojan-downloader-mainstreamdollars
10:46 AM: Quarantining All Traces: trojan-downloader-pacisoft
10:46 AM: Quarantining All Traces: apropos
10:46 AM: apropos is in use. It will be removed on reboot.
10:46 AM: wingenerics.dll is in use. It will be removed on reboot.
10:46 AM: Quarantining All Traces: azsearch toolbar
10:46 AM: Quarantining All Traces: cas
10:47 AM: cas is in use. It will be removed on reboot.
10:47 AM: plugin.dll is in use. It will be removed on reboot.
10:47 AM: C:\Program Files\System Files\plugin.dll is in use. It will be removed on reboot.
10:47 AM: Quarantining All Traces: icannnews
10:47 AM: icannnews is in use. It will be removed on reboot.
10:47 AM: C:\WINNT\system32\gp0ol3d31.dll is in use. It will be removed on reboot.
10:47 AM: C:\WINNT\system32\TRPI32.DLL is in use. It will be removed on reboot.
10:47 AM: Quarantining All Traces: instant access
10:47 AM: Quarantining All Traces: quicklink search toolbar
10:48 AM: Quarantining All Traces: screensavers
10:48 AM: Quarantining All Traces: targetsaver
10:48 AM: Quarantining All Traces: trojan-downloader-psyme
10:48 AM: Quarantining All Traces: virtualbouncer
10:48 AM: Quarantining All Traces: 2o7.net cookie
10:48 AM: Quarantining All Traces: adecn cookie
10:48 AM: Quarantining All Traces: adprofile cookie
10:48 AM: Quarantining All Traces: ask cookie
10:48 AM: Quarantining All Traces: atwola cookie
10:48 AM: Quarantining All Traces: azjmp cookie
10:48 AM: Quarantining All Traces: belnk cookie
10:48 AM: Quarantining All Traces: burstnet cookie
10:48 AM: Quarantining All Traces: enhance cookie
10:48 AM: Quarantining All Traces: exitexchange cookie
10:48 AM: Quarantining All Traces: hbmediapro cookie
10:48 AM: Quarantining All Traces: hypertracker.com cookie
10:48 AM: Quarantining All Traces: partypoker cookie
10:48 AM: Quarantining All Traces: paypopup cookie
10:48 AM: Quarantining All Traces: rn11 cookie
10:48 AM: Quarantining All Traces: starware.com cookie
10:48 AM: Quarantining All Traces: top-banners cookie
10:48 AM: Quarantining All Traces: tribalfusion cookie
10:48 AM: Quarantining All Traces: websponsors cookie
10:48 AM: Quarantining All Traces: yieldmanager cookie
11:44 AM: Preparing to restart your computer. Please wait...
11:44 AM: Removal process completed. Elapsed time 01:18:46
********
8:55 AM: | Start of Session, Monday, October 24, 2005 |
8:55 AM: Spy Sweeper started
8:58 AM: Your spyware definitions have been updated.
9:02 AM: Memory Shield: Found: Memory-resident threat cas, version 1.0.0.0
9:02 AM: Detected running threat: cas
9:03 AM: Ignored memory-resident threat: cas
9:06 AM: | End of Session, Monday, October 24, 2005 |


Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:30:15 PM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\cdplayer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\monitorbk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\system32\cdplayer.exe -tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = C:\WINNT\system32\monitorbk.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://staging.ujcfedweb.org/admin/Download/msxml4.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = thorn.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = thorn.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = thorn.net
O20 - Winlogon Notify: MCD - C:\WINNT\system32\dnps0177e.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VXNlcgAA\command.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please do the following:

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.

Close all other opened programs before running this tool

From within the newly created folder, locate & run L2mfix.bat
Select option #2 - Run Fix - by typing 2

Press any key to reboot your computer.
After the reboot, your Desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, you will be presented with a log. Save the contents of that log as I shall require you to post it in your next reply after completing the fix.

DO NOT RUN ANY OTHER FILES IN THE L2MFIX FOLDER UNLESS INSTRUCTED

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please disable Webroot SpySweeper, as it hinders the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automaticly restore default without notifiction

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


You may want to print out the rest of these instructions for reference, since you will have to restart your computer during the fix. Please download hese additional files/programs. Do not run them until instructed to do so.

AproposFix.exe - do NOT run it yet.

CleanUp.exe - Install.

LQFix.zip

WinPfind.zip

TrackQoo.zip

I need you to update your copy of Ewido. Please go to this website - http://www.ewido.net/en/download/updates/
Download the full updated database (Approximately 3600 KB) & install it unto your copy of Ewido.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Once in Safe Mode, double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, it will create a log, log.txt file in the aproposfix folder.

Double click on LQFix.zip & Run LQFix.bat


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Command Service (cmdService)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O20 - Winlogon Notify: MCD - C:\WINNT\system32\dnps0177e.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VXNlcgAA\command.exe (file missing)



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\WINNT\VXNlcgAA\
Search for & delete ... using Start> Search... the following files:
  • ntdll.dll

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Double-click WinPFind.zip & extract the contents to a new folder at Drive C.

1. From within that folder, double click WinPFind.exe
2. Click Start Scan
3. Once the Scan is complete, it will create a report in a text file
4. Go to the WinPFind folder & locate WinPFind.txt
5. Post the results in your next reply!

** This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT AGAIN & Extract the contents of TrackQoo.zip & double-click on TrackQoo1.vbs. Wait a few seconds and a notepad page will pop up, Copy & Paste those results in your next reply.
* If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
    [*] Ewido
    [*] WinPfind
    [*] TrackQoo1.vbs
    [*] L2Mfix's log
    [*] Apropos Fix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top