Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With My Log File Please


  • This topic is locked This topic is locked
35 replies to this topic

#1 xplosivo

xplosivo

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 16 February 2006 - 03:49 PM

I am having problems with adware/spyware please help:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:08 PM, on 2/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\Promon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1136938905\ee\AOLSoftware.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\win32074992-126171.exe
C:\WINDOWS\System32\hpsw.exe
C:\windows\winsysban8.exe
C:\WINDOWS\hostsvc.exe
C:\WINDOWS\System32\wgse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\vcualts32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
c:\windows\winsysban9.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Nicholas\LOCALS~1\Temp\17802444.tmp
C:\Anti-Malware Programs\HJT\HijackThis.exe
C:\WINDOWS\System32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136938905\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [winsysupd] c:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win32074992-126171] C:\WINDOWS\win32074992-126171.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O4 - HKLM\..\Run: [winsysban] c:\windows\winsysban9.exe
O4 - HKLM\..\Run: [gimmygames] c:\windows\gimmygames9.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\pappyr.exe reg_run
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rofq] C:\PROGRA~1\COMMON~1\rofq\rofqm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MovieM] C:\WINDOWS\System32\lmovie.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ozoo.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: repairs302972994.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\k0jsla171d.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Bnaqaaje.dll (file missing)
O21 - SSODL: kOxfhgvY - {B4CBC1D1-1E61-6B7B-101E-9F72A3FBE3BA} - C:\WINDOWS\System32\lug.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: windows service host - Unknown owner - C:\WINDOWS\hostsvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:16 PM

Posted 16 February 2006 - 04:40 PM

Hi There! :thumbsup:

I am currently working on your log

I will get back to you as soon as possible.

David :flowers:

#3 xplosivo

xplosivo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 16 February 2006 - 05:33 PM

Something to add, I don't know if this has anything to do with spyware/adware, but every once in a while my computer will begin to install microsoft office 2000, which is already installed on my computer...Also, sometimes my icons will dissapear and the please wait microsoft screen will show up for a few seconds then it will come back...I really dont know what is going on with my computer right now... :thumbsup:

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:16 PM

Posted 17 February 2006 - 07:53 AM

Hi xplosivo and welcome to BleepingComputer.

You have quite a badly infected system with a number of infections. It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :huh:
_____________________________

:thumbsup: You are missing one important program on that computer: An antivirus.

You need to install an antivirus program as soon as you can and run a complete scan of the computer.
I recommend AVG free edition - i use it!


Antivir
Avast Free
AVG Free
Bitdefender Free

Install it and update it but do not run it yet.
_____________________________

:flowers: IMPORTANT
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running.

Please download and instal one of these excellent (and free) products: Zone Alarm or Sygate
It is important to note that you should only have one firewall installed at a time, but you can download both to your Desktop and install each in turn to see which one you prefer.
_____________________________

:huh: Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.
_____________________________

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck.
  • Install background guard
  • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
    ewido manual updates
_____________________________

Please download ATF Cleaner by Atribune and save it to your desktop. Do not run it yet.
_____________________________

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
_____________________________

Once the you are in safe mode run Ewido and complete the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.
_____________________________

Please open the Anit-Virus (not firewall) you installed earlier and run a full system scan and remove any files that are found. Please note any complications you come across.
_____________________________Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.]
_____________________________

Reboot back to normal mode.
Generate an Uninstall List
  • Open HijackThis
  • Click on Open Misc Tools Section
  • Click on Open Uninstall Manager
  • Click on Save list
  • Save it to your Desktop
_____________________________

Please post back with the following logs:
  • The Ewido Report
  • A new HijackThis log
  • The unistall list.
David

Edited by D-Trojanator, 17 February 2006 - 08:49 AM.


#5 xplosivo

xplosivo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 17 February 2006 - 06:53 PM

First of all, I would like to thank you for taking time to help me out, I really appreciate your help.

I did everything you said, i deleted a bunch of stuff, but im still getting some pop-ups.

I dont know why but it wont let me post the whole thing in one.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:15:29 PM, 2/17/2006
+ Report-Checksum: A300AB49

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\.DEFAULT\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\.DEFAULT\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2529006832-2225589205-3563514748-1005\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-2529006832-2225589205-3563514748-1005\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-18\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-18\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[668] C:\WINDOWS\system32\kxdarmw.dll -> Adware.Look2Me : Error during cleaning
[812] C:\WINDOWS\system32\kxdarmw.dll -> Adware.Look2Me : Error during cleaning
C:\cygwid.exe -> Downloader.Small.bmx : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ozoo.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89AXUZMT\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FSBFPWIA\2[1].bin/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YGW37P7J\cygwid[1].exe -> Downloader.Small.bmx : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YGW37P7J\drsmartload[1].exe -> Downloader.VB.wr : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YGW37P7J\gimmygames[1].exe -> Downloader.VB.wd : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YGW37P7J\inst_0004[1].exe -> Downloader.Small.cam : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YGW37P7J\winsysban8[1].exe -> Hijacker.VB.lg : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YHIJKL4N\ibycgt[1].cab/titno.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YHIJKL4N\installerus[1].exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YHIJKL4N\winsysupd8[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.247:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.248:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.249:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.275:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.281:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.282:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Paypopup : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.292:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.294:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.297:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Hypertracker : Cleaned with backup
:mozilla.301:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
C:\Documents and Settings\Nicholas\Cookies\nicholas@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Nicholas\Cookies\nicholas@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Nicholas\Cookies\nicholas@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\0.tmp -> Backdoor.Agent.uh : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\17489500.tmp -> Backdoor.Agent.uh : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\17802444.tmp -> Backdoor.Agent.uh : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\233074457.tmp -> Backdoor.Agent.uh : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.fr13DB -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.fr2328 -> Adware.CommAd : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.fr6DDC -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.fr81F9 -> Adware.CommAd : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.frA264\Ssk.exe -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.frA264\SskBho.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.frA264\SskCore.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.frC7F8\Ssk.exe -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.frC7F8\SskBho.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.frC7F8\SskCore.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.frE3C5 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\temp.frEF23 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Nicholas\Local Settings\Temp\u1A.tmp -> Adware.SurfSide : Cleaned with backup
C:\drsmartload1.exe -> Downloader.VB.wr : Cleaned with backup
C:\gimmygames.exe -> Downloader.VB.wd : Cleaned with backup
C:\inst_0004.exe -> Downloader.Small.cam : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Jalmp\jalmp.dll -> Adware.Suggestor : Cleaned with backup
C:\Program Files\Jalmp\uninstall.exe -> Adware.Suggestor : Cleaned with backup
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Adware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Adware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0028321.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0028480.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0028910.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029001.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029067.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029126.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029179.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029212.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029270.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029275.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029276.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029277.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029278.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029279.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029280.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029281.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029282.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029283.exe -> Proxy.Agent.eq : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029284.dll -> Proxy.Agent.x : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029285.exe -> Worm.Bagle.fk : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029286.dll -> Trojan.Zapchast.ar : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP70\A0029299.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP71\A0030154.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP71\A0030174.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP71\A0030182.exe -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP71\snapshot\MFEX-1.DAT -> Not-A-Virus.Hoax.Win32.Renos.be : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031516.exe -> Downloader.VB.tw : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031517.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031518.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031527.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031537.exe -> Downloader.VB.nw : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031538.exe -> Hijacker.VB.ij : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031540.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031541.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031542.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031547.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031549.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031550.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031552.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0031553.cpl -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032593.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032596.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032597.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032607.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032608.exe -> Trojan.VB.tg : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032609.exe -> Downloader.VB.tw : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032610.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032611.exe -> Hijacker.VB.lg : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032612.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032623.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032643.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032691.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032881.exe -> Downloader.Small.cam : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032882.EXE -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032883.dll -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032884.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032885.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032901.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032902.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032907.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032908.exe -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032909.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032910.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032920.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032921.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032922.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032923.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032924.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032928.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032929.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032946.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032947.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032948.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032958.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032960.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032966.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032967.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0032968.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033003.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033078.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033079.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033080.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033081.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033085.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033086.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033087.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033088.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033092.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033096.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033097.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033103.exe -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033104.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033105.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033109.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033110.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033111.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033113.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033120.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033121.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033122.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033130.exe -> Trojan.Runner.h : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033141.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033142.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033143.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033151.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033156.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033159.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033160.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033161.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033171.exe -> Downloader.VB.tw : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033178.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033198.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033202.exe -> Dropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033206.dll -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033209.dll -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033211.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033212.exe -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033213.exe -> Downloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033215.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033216.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033216.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033217.dll -> Adware.Sud : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033218.dll -> Adware.Sud : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033220.dll -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033221.cpl -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033500.EXE -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033520.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033521.dll -> Adware.CommAd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033522.exe -> Adware.CommAd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033523.exe -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033524.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033525.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033536.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033541.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033545.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033546.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033557.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033592.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033597.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033598.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033599.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033600.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033606.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033614.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033629.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033631.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033635.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033639.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033644.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033649.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033660.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033680.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033751.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033758.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033762.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033764.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033768.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033776.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033787.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP76\A0033822.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0033890.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0033891.exe -> Downloader.VB.wd : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034088.exe -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034091.exe -> Downloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034105.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034109.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034114.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034117.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034125.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034136.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034156.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034179.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034183.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034184.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034190.exe -> Downloader.Bagle.z : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034197.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034210.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034236.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034237.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034263.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034265.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034269.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034274.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034280.dll -> Adware.Look2Me : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\hcocspi.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\stub_110_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\system32\hpsw.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\ipiiqpq.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\WINDOWS\system32\jvjjkdk.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\kmkkg.dll -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\mqasn1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\oledsp32.dll -> Trojan.Zapchast.ar : Cleaned with backup
C:\WINDOWS\system32\pappyr.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\sjtupapi.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wgse.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\system32\wuwwq.dat -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\temp\A0C5.tmp/titno.exe -> Adware.MDH : Cleaned with backup

Edited by xplosivo, 17 February 2006 - 07:04 PM.


#6 xplosivo

xplosivo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 17 February 2006 - 07:06 PM

C:\WINDOWS\temp\ASHeuristic\vcualts32_exe.vir -> Downloader.Bagle.z : Cleaned with backup
C:\WINDOWS\temp\f108718.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\temp\i8.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\TmljaG9sYXM\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\TmljaG9sYXM\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\vcualts32.exe -> Downloader.Bagle.z : Cleaned with backup
C:\WINDOWS\win32074992-126171.exe -> Downloader.VB.tw : Cleaned with backup
C:\WINDOWS\winsysban8.exe -> Hijacker.VB.lg : Cleaned with backup
C:\WINDOWS\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 6:46:26 PM, on 2/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\hostsvc.exe
C:\WINDOWS\System32\Promon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1136938905\ee\AOLSoftware.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\windows\winsysban9.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Anti-Malware Programs\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136938905\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [rofq] C:\PROGRA~1\COMMON~1\rofq\rofqm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\ir00l5dm1.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Bnaqaaje.dll (file missing)
O21 - SSODL: kOxfhgvY - {B4CBC1D1-1E61-6B7B-101E-9F72A3FBE3BA} - C:\WINDOWS\System32\lug.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: windows service host - Unknown owner - C:\WINDOWS\hostsvc.exe

Uninstall List

Access IBM
Ad-Aware SE Personal
Adobe Acrobat 5.0
Age of Empires III
AOL Uninstaller (Choose which Products to Remove)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free Edition
Command
ConfigSafe
Counter-Strike Source
Default
Diablo II
DVMatics
ewido anti-malware
Fable - The Lost Chapters
FEAR
GameSpy Arcade
HijackThis 1.99.1
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
InterActual Player
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
LimeWire 4.10.5
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Logitech SetPoint
Logon Loader 3.0
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft Office 2000 Professional
Microsoft XML Parser and SDK
Mozilla Firefox (1.5.0.1)
Network Monitor
Neverwinter Nights Platinum Edition
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
Quicklinks
QuickTime
Shockwave
SoundMAX
Spybot - Search & Destroy 1.4
Uninstall PC-Doctor
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinRAR archiver
Yahoo! Messenger
Yahoo! Toolbar
ZoneAlarm

Thanks again. :thumbsup:

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:16 PM

Posted 18 February 2006 - 12:47 PM

Hi xplosivo

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:
_____________________________

The first step in this process is to apply Service Pack 1b for Windows XP.

Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click HERE.
Apply the update, and reboot

Install all critical updates except Service Pack 2. Some hijacks interfere with the installation of Service Pack 2, so please wait until your computer is clean before installing it.
_____________________________

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Network Monitor
Command

Limewire 4.10.5
<---You are using LimeWire. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/.
This is another article: http://www.cexx.org/adware.htm
_____________________________

Make sure that you can see hidden files (Windows XP).
-Click "Start".
-Click "My Computer".
-Select the "Tools" menu and click "Folder Options".
-Select the "View" tab.
-Under the "Hidden files and folders" heading, select "Show hidden files and folders".
-Uncheck the "Hide protected operating system files (recommended)" option.
-Click "Yes" to confirm.
-Uncheck the "Hide file extensions for known file types".
-Click "OK".
_____________________________

Open notepad and copy and paste next in it:

sc stop "windows service host" > results.txt
sc delete "windows service host" >> results.txt
start results.txt
exit


Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat - save the text that comes up in the notepad somewhere safe (desktop).
_____________________________

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
_____________________________

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [rofq] C:\PROGRA~1\COMMON~1\rofq\rofqm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\ir00l5dm1.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Bnaqaaje.dll (file missing)
O21 - SSODL: kOxfhgvY - {B4CBC1D1-1E61-6B7B-101E-9F72A3FBE3BA} - C:\WINDOWS\System32\lug.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: windows service host - Unknown owner - C:\WINDOWS\hostsvc.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.
_____________________________

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\winupdate <--folder
C:\windows\winsysban9.exe <--file
C:\Program Files\SurfSideKick 3 <--folder
C:\Program Files\Common Files\rofq <--folder
C:\Program Files\Jalmp <--folder
C:\WINDOWS\system32\ir00l5dm1.dll <--file
C:\WINDOWS\TmljaG9sYXM <--folder
C:\Program Files\Network Monitor <--folder
C:\WINDOWS\hostsvc.exe <--file
_____________________________

Reboot to normal mode and please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your Firewall about this program accessing the Internet, please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
_____________________________

Please post back with the following logs:
  • C:\Look2Me-Destroyer.txt
  • A new HijackThis log
  • The results.txt contents
Also, can you tell me if you know anything about the program 'QuickLinks'? Did you install it intentionally?
David

#8 xplosivo

xplosivo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 18 February 2006 - 03:06 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:57:42 PM, on 2/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Anti-Malware Programs\HJT\HijackThis.exe

O1 - Hosts: MZ@ !L!This program cannot be run in DOS mode.
O1 - Hosts: $A䎮A䎮A䎮A䏮t䎮H䎮A䎮{䎮RichA䎮PELH6  hJ %Xrd.text2gh `.dataI*n@vvvvvvjvvv wss t
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[SC] ControlService FAILED 1052:

The requested control is not valid for this service.


[SC] DeleteService SUCCESS

Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2/18/2006 2:48:01 PM

Infected! C:\WINDOWS\system32\mv04l9dq1.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034305.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034308.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034525.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034529.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034541.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP78\A0034550.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039340.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039344.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039366.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039371.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039393.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0040396.dll
Infected! C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0040400.dll
Infected! C:\WINDOWS\system32\kfdes.dll
Infected! C:\WINDOWS\system32\mxjdbc10.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\mv04l9dq1.dll
C:\WINDOWS\system32\mv04l9dq1.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034305.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034305.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034308.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034308.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034525.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034525.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034529.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034529.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034541.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP77\A0034541.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP78\A0034550.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP78\A0034550.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039340.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039340.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039344.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039344.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039366.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039366.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039371.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039371.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039393.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0039393.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0040396.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0040396.dllcould not be deleted!

Attempting to delete: C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0040400.dll
C:\System Volume Information\_restore{02F98537-CEA1-4DEB-82FB-2880A472F806}\RP87\A0040400.dllcould not be deleted!

Attempting to delete: C:\WINDOWS\system32\kfdes.dll
C:\WINDOWS\system32\kfdes.dllcould not be deleted!

Attempting to delete: C:\WINDOWS\system32\mxjdbc10.dll
C:\WINDOWS\system32\mxjdbc10.dllcould not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{104B149A-4395-41C4-B96F-389018302130}"
HKCR\Clsid\{104B149A-4395-41C4-B96F-389018302130}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{32538C40-9EFD-4A1B-8F2C-1D198EFDA59F}"
HKCR\Clsid\{32538C40-9EFD-4A1B-8F2C-1D198EFDA59F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0BFEB0D1-B10E-4728-905F-AABA1ECEE482}"
HKCR\Clsid\{0BFEB0D1-B10E-4728-905F-AABA1ECEE482}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6B85A13B-47C7-469B-89A1-304CA805D260}"
HKCR\Clsid\{6B85A13B-47C7-469B-89A1-304CA805D260}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2DE7122D-3BC8-42DD-A2B8-448E2AF3B9B5}"
HKCR\Clsid\{2DE7122D-3BC8-42DD-A2B8-448E2AF3B9B5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B1A19004-61ED-4B77-B719-1A6241237A5D}"
HKCR\Clsid\{B1A19004-61ED-4B77-B719-1A6241237A5D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{84F8E5B2-5A14-4099-9884-08DB58C5BA70}"
HKCR\Clsid\{84F8E5B2-5A14-4099-9884-08DB58C5BA70}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
____________________________________________________

When I went to remove Network Monitor, It said that "an error has occured while removing Network Monitor. Network Monitor has not been removed."

None of these were present when i ran HijackThis again:
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O23 - Service: windows service host - Unknown owner - C:\WINDOWS\hostsvc.exe

I did not find this file either:
C:\WINDOWS\system32\ir00l5dm1.dll

I dont know what "QuickLinks" is.

Thanks again for your time and help.

p.s.
Maybe im typing this prematurely but, I think the pop-ups have stopped *knock on wood* :thumbsup:

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:16 PM

Posted 19 February 2006 - 12:55 PM

Hello there,

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:
_____________________________

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

QuickLinks
_____________________________

Please download hoster from here :flowers:
  • Unzip Hoster.zip
  • Open Hoster.exe
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
_____________________________

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Network Monitor]


Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

It should look like this: Posted Image

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
_____________________________

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
_____________________________

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)

* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.
_____________________________

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\TmljaG9sYXM <--folder
C:\WINDOWS\system32\mv04l9dq1.dll <--file
C:\WINDOWS\system32\kfdes.dll <--file
C:\WINDOWS\system32\mxjdbc10.dll <--file
_____________________________

Reboot to normal mode and download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
_____________________________

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new HJT log, another uninstall list and the L2me fix log in your next reply. Also let me know how the system is running.

David

#10 xplosivo

xplosivo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 20 February 2006 - 10:31 AM

Incident Status Location

Adware:adware/look2me Not disinfected C:\WINDOWS\TEMP\bw2.com
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload2.dat
Adware:adware/commad Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@advertising[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@doubleclick[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.advertising.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[server.iad.liveperson.net/hc/80503492]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.zedo.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.qksrv.net/]
Virus:Trj/VB.KN Not disinfected C:\23twd.exe
Virus:Trj/VB.KN Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YGW37P7J\dnvzd6[1].jpg
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YHIJKL4N\installer[1].exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\LocalService\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\LocalService\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[80503492]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@advertising[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nicholas\Desktop\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nicholas\Desktop\l2mfix.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nicholas\Local Settings\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\Cache\35897D89d01[Process.exe]
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Content.IE5\ZIZVJAXB\AppWrap[1].exe
Adware:Adware/Look2Me Not disinfected C:\RECYCLER\S-1-5-21-2529006832-2225589205-3563514748-1005\Dc1.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\n88olil318q.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/nCase Not disinfected C:\WINDOWS\temp\bw2.com
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sv1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Property Sheet Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
084c4hie.dll Wed Feb 15 2006 2:16:22p A.... 45,568 44.50 K
cmdlin~1.dll Fri Jan 20 2006 7:13:04p A.... 98,304 96.00 K
cmdlin~2.dll Thu Feb 2 2006 6:41:58p A.... 43,520 42.50 K
n88oli~1.dll Sat Feb 18 2006 2:41:20p ..S.R 233,774 228.29 K
resmap~1.dll Thu Feb 16 2006 7:45:38p A.... 24,064 23.50 K
sintf16.dll Mon Jan 30 2006 7:27:34p A.... 12,067 11.78 K
sintf32.dll Mon Jan 30 2006 7:27:34p A.... 17,212 16.81 K
sintfnt.dll Mon Jan 30 2006 7:27:34p A.... 21,840 21.33 K
sporder.dll Wed Feb 15 2006 2:17:30p A.... 8,464 8.27 K
wcuauth.dll Fri Feb 17 2006 2:19:06p A.... 24,064 23.50 K
winren~1.dll Thu Jan 26 2006 11:17:22a A.... 22,528 22.00 K

11 items found: 11 files (1 H/S), 0 directories.
Total of file sizes: 551,405 bytes 538.48 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is B4CB-C1D0

Directory of C:\WINDOWS\System32

02/20/2006 12:20 AM <DIR> ..
02/20/2006 12:20 AM <DIR> .
02/18/2006 02:41 PM 233,774 n88olil318q.dll
02/18/2006 01:56 PM <DIR> dllcache
01/09/2006 02:56 PM 96,000 sysinj.sys
01/09/2006 02:56 PM 60 sysinjsz.sys
12/26/2005 02:22 PM <DIR> Microsoft
3 File(s) 329,834 bytes
4 Dir(s) 10,731,978,752 bytes free

Logfile of HijackThis v1.99.1
Scan saved at 10:27:27 AM, on 2/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\AOL\1140294563\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Anti-Malware Programs\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140294563\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Uninstall List

Access IBM
Ad-Aware SE Personal
Adobe Acrobat 5.0
Age of Empires III
AOL Uninstaller (Choose which Products to Remove)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free Edition
ConfigSafe
Counter-Strike Source
Default
Diablo II
DVMatics
ewido anti-malware
Fable - The Lost Chapters
FEAR
GameSpy Arcade
Guild Wars
HijackThis 1.99.1
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
InterActual Player
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Logitech SetPoint
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft Office 2000 Professional
Microsoft XML Parser and SDK
Mozilla Firefox (1.5.0.1)
Network Monitor
Neverwinter Nights Platinum Edition
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
QuickTime
Shockwave
SoundMAX
Spybot - Search & Destroy 1.4
Uninstall PC-Doctor
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q817606
Windows XP Service Pack 1a
WinRAR archiver
Yahoo! Messenger
Yahoo! Toolbar
ZoneAlarm

The system seems to be running like normal, I am not experiencing anymore pop-ups and it is running pretty fast.

Thanks again for the help.

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:16 PM

Posted 23 February 2006 - 04:37 PM

Hello there,

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)

* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\TmljaG9sYXM <--folder
C:\WINDOWS\TEMP\bw2.com <--file
C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Ssk.log <--file
C:\WINDOWS\drsmartload2.dat <--file
C:\WINDOWS\uninstall_nmon.vbs <--file
C:\23twd.exe <--file
C:\Documents and Settings\LocalService\Start Menu\Programs\UCmore - The Search Accelerator <--folder
C:\WINDOWS\system32\n88olil318q.dll <--file

*Empty the Recycle Bin.

Please reboot back to normal mode and please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\WINDOWS\System32\sysinj.sys
Click Open
Please let me know the results.

Please do the same for:
C:\WINDOWS\System32\sysinjsz.sys

Then post a new HijackThis log and a new uninstall list. Also please run Panda again and post the log it creates, along with the two scans from Jotti and the results.txt contents.

David

#12 xplosivo

xplosivo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 23 February 2006 - 10:33 PM

When I ran those two files through "Jotti" it returned that the programs found nothing, and the status was "OK" for both files.

Logfile of HijackThis v1.99.1
Scan saved at 10:29:12 PM, on 2/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\AOL\1140294563\ee\AOLSoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\common files\aol\1140294563\ee\aim6.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Anti-Malware Programs\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140294563\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Uninstall List

Access IBM
Ad-Aware SE Personal
Adobe Acrobat 5.0
Age of Empires III
AOL Uninstaller (Choose which Products to Remove)
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free Edition
ConfigSafe
Counter-Strike Source
Default
Diablo II
DVMatics
ewido anti-malware
Fable - The Lost Chapters
FEAR
GameSpy Arcade
Guild Wars
HijackThis 1.99.1
Intel PRO Ethernet Adapter and Software
Intel PROSet II
InterActual Player
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Logitech SetPoint
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft Office 2000 Professional
Microsoft XML Parser and SDK
Mozilla Firefox (1.5.0.1)
Network Monitor
Neverwinter Nights Platinum Edition
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
QuickTime
Shockwave
SoundMAX
Spybot - Search & Destroy 1.4
The Edge 1.9.0
Uninstall PC-Doctor
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q817606
Windows XP Service Pack 1a
WinRAR archiver
Yahoo! Messenger
Yahoo! Toolbar
ZoneAlarm

Panda Scan

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\teller2.chk
Adware:adware/whenusearch Not disinfected C:\Documents and Settings\Nicholas\Start Menu\Programs\WhenU
Adware:adware/savenow Not disinfected C:\PROGRAM FILES\Save
Adware:adware/commad Not disinfected C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@perf.overture[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@statcounter[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.com.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.bfast.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[server.iad.liveperson.net/hc/80503492]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[.azjmp.com/]
Virus:Trj/VB.KN Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YGW37P7J\dnvzd6[1].jpg
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YHIJKL4N\installer[1].exe
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[80503492]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nicholas\Application Data\Mozilla\Firefox\Profiles\coaqzkeq.default\cookies.txt[]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@perf.overture[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nicholas\Cookies\nicholas@statcounter[1].txt
Adware:Adware/ClockSync Not disinfected C:\Documents and Settings\Nicholas\Local Settings\Temp\VVSNInst.exe
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Content.IE5\ZIZVJAXB\AppWrap[1].exe
Adware:Adware/SaveNow Not disinfected C:\Program Files\Save\ACM.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Thanks again.

Edited by xplosivo, 23 February 2006 - 10:34 PM.


#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:16 PM

Posted 26 February 2006 - 04:14 AM

Hi Xplosivo

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:
_____________________________

Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
cmdService
Command Service
Network Monitor
NetworkMonitor
[Exclude]

[Options]
Filter=KVDLU


Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here in your next reply
_____________________________

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
_____________________________

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)

* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.
_____________________________

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\Save <--folder
C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Ssk.log <--file
C:\WINDOWS\teller2.chk <--file
C:\Documents and Settings\Nicholas\Start Menu\Programs\WhenU <--folder
C:\Documents and Settings\LOCALSERVICE\APPLICATION DATA\NetMon <--folder
C:\Program Files\Network Monitor <--folder

Did you run ATF cleaner? Please do so again even if you did and make sure you use both main and firefox features and delete everything.

Please post back with a new HJT log, the results from the registry scan and a new Panda log.

David

#14 xplosivo

xplosivo
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 26 February 2006 - 02:07 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:11:28 PM, on 2/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Anti-Malware Programs\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140294563\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmljaG9sYXM\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I dont know why that command service keeps showing up in there I really am following your instructions to get rid of it.

The Registry Search Results were VERY long, i think most of it is just general information about something, and not specific to my search, but here is the part that i think is what you need:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}]
"DisplayName"="Network Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"="cmdService"
"DeviceDesc"="Command Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
"Service"="Network Monitor"
"DeviceDesc"="Network Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]
"DisplayName"="Command Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService\Enum]
"0"="Root\\LEGACY_CMDSERVICE\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor]
; Contents of value:
; C:\Program Files\Network Monitor\netmon.exe service
"ImagePath"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,4e,65,74,\
77,6f,72,6b,20,4d,6f,6e,69,74,6f,72,5c,6e,65,74,6d,6f,6e,2e,65,78,65,20,73,\
65,72,76,69,63,65,00
"DisplayName"="Network Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Network Monitor\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"="cmdService"
"DeviceDesc"="Command Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
"Service"="Network Monitor"
"DeviceDesc"="Network Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService]
"DisplayName"="Command Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Network Monitor]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Network Monitor]
; Contents of value:
; C:\Program Files\Network Monitor\netmon.exe service
"ImagePath"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,4e,65,74,\
77,6f,72,6b,20,4d,6f,6e,69,74,6f,72,5c,6e,65,74,6d,6f,6e,2e,65,78,65,20,73,\
65,72,76,69,63,65,00
"DisplayName"="Network Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Network Monitor\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000]
"Service"="cmdService"
"DeviceDesc"="Command Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
"Service"="Network Monitor"
"DeviceDesc"="Network Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]
"DisplayName"="Command Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\Enum]
"0"="Root\\LEGACY_CMDSERVICE\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor]
; Contents of value:
; C:\Program Files\Network Monitor\netmon.exe service
"ImagePath"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,4e,65,74,\
77,6f,72,6b,20,4d,6f,6e,69,74,6f,72,5c,6e,65,74,6d,6f,6e,2e,65,78,65,20,73,\
65,72,76,69,63,65,00
"DisplayName"="Network Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum]

Under this result, was a list of numbers followed by an explanation of what they are, I think:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009]
; Contents of value:

Im not sure if that "009" at the end is a reference to the 9 in the explanation or not but here is what it says for 9:

; 9 % Total DPC Time is the average percentage of time that all processors spend receiving and servicing deferred procedure calls (DPCs). (DPCs are interrupts that run at a lower priority than the standard interrupts). It is the sum of Processor: % DPC Time for all processors on the computer, divided by the number of processors. System: % Total DPC Time is a component of System: % Total Privileged Time because DPCs are executed in privileged mode. DPCs are counted separately and are not a component of the interrupt count. This counter displays the average busy time as a percentage of the sample time. 11 File Read Operations/sec is the combined rate of file system read requests to all devices on the computer, including requests to read from the file system cache. It is measured in numbers of reads. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. 13 File Write Operations/sec is the combined rate of the file system write requests to all devices on the computer, including requests to write to data in the file system cache. It is measured in numbers of writes. This counter displays the difference between the values observed in the last two sam
; % Total DPC Time is the average percentage of time that all processors spend receiving and servicing deferred procedure calls (DPCs). (DPCs are interrupts that run at a lower priority than the standard interrupts). It is the sum of Processor: % DPC Time for all processors on the computer, divided by the number of processors. System: % Total DPC Time is a component of System: % Total Privileged Time because DPCs are executed in privileged mode. DPCs are counted separately and are not a component of the interrupt count. This counter displays the average busy time as a percentage of the sample time. 11 File Read Operations/sec is the combined rate of file system read requests to all devices on the computer, including requests to read from the file system cache. It is measured in numbers of reads. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. 13 File Write Operations/sec is the combined rate of the file system write requests to all devices on the computer, including requests to write to data in the file system cache. It is measured in numbers of writes. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. 15 File Control Operations/sec is the combined rate of file system operations that are neither reads nor writes, such as file system control requests and requests for information about device characteristics or status. This is the inverse of System: File Data Operations/sec and is measured in number of operations perf second. This counter displays the difference between the values observed in the last two samples, divided by the duration of the sample interval. 17 File Read Bytes/sec is the overall rate at which bytes are read to satisfy file sys

I think that is all you need from this scan but if you need more let me know, I'll keep it saved.

Panda Active-Scan

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/commad Not disinfected Windows Registry
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YHIJKL4N\installer[1].exe
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Content.IE5\ZIZVJAXB\AppWrap[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

I couldn't find that ssk.log in windows explorer, then i used the search button and still couldnt find it, but if i type it in the address bar in windows explorer, then it opens up a notepad with some weird characters.

Thanks.

Edited by xplosivo, 26 February 2006 - 02:13 PM.


#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:16 PM

Posted 27 February 2006 - 01:51 PM

Hi Hi Xplosivo

Please download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer
_____________________________

Please run ATF cleaner once more.
_____________________________

After the reboot occurs please post a new HijackThis log, a new uninstall list, and a new Panda log. Also please run the registry searcher with the same 4 input names as before and post back with the log it creates. However, before scanning please tick the "Ignore REG_MULTI_SZ" checkbox to cut down the size a bit. Then post the log or attach it if it is too big :thumbsup:

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users