Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vcclient.exe, Vcmain.exe, Trojandownloader, Verticlick, Admess, Casclient, Razespyware


  • Please log in to reply
7 replies to this topic

#1 chriswalker5

chriswalker5

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 12 March 2006 - 11:50 PM

I have run adaware, spybot and sophos; and have found so many viruses/trojans/spyware. I keep running the removal programs, but the spyware comes back. I know that when I restart the computer I get the VCCClient.exe and VCmain.exe messages saying that the program can't start and will be terminated, so I clicked on them in the hijackthis log and removed them, but then I got black screens popping up when I start the computer. They disappear after a second so I can't read what they say. I restored all the files for the purposes of this post.





Logfile of HijackThis v1.99.1
Scan saved at 11:34:07 PM, on 3/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Hummingbird\DM Extensions\papihost.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\walkerc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PowerDOCSAPIHost] "C:\Program Files\Hummingbird\DM Extensions\papihost.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad1.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [cme] C:\WINDOWS\system32\cme.exe
O4 - HKLM\..\Run: [cmeupd] C:\WINDOWS\system32\cmeupd.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] C:\WINDOWS\system32\ddm_d.exe
O4 - HKLM\..\Run: [gmt] C:\WINDOWS\system32\gmt.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44C7F862-906C-11D3-A8ED-0008C75B3588} (IEPAPI Class) - http://fpdm1/cyberdocs/DMExtensions/papibrdg.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105371467040
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://fpdm1/cyberdocs/DMExtensions/deployment/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = phks.com
O17 - HKLM\Software\..\Telephony: DomainName = phks.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = phks.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = phks.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: PCDOCS - {EDC110E5-4CFB-4FEE-813A-BF796297030E} - C:\Program Files\Hummingbird\DM Extensions\PwDMoniker.DLL
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\m4ls0e37eh.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Unknown owner - C:\WINDOWS\System32\basfipm.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sweep for Windows NT Network (SWEEPNET) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sweep for Windows NT Update (SWEEPUPDATE) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:49 AM

Posted 13 March 2006 - 03:41 AM

Hello chriswalker5, and welcome to BleepingComputer,

We'll try to help you out, just give us some time to study your log.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:49 AM

Posted 14 March 2006 - 10:53 AM

Hello chriswalker5,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

1. Download and install CCleaner - basic
Do not use the program at this time.

2. Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

3. Please download, install, and update the NEW free version of Ewido anti-malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • If you are having problems with the updater, you can use this link to manually update ewido:
    ewido manual updates
  • Close ewido. DO NOT RUN IT YET.
4. Reconfigure Windows XP to show hidden files:Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the Hide protected operating system files (recommended) option.
Uncheck the Hide file extensions for known file types option.
Click Yes to confirm. Click OK.
[/list]5. Boot into Safe Mode ( without networking support !):
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

6. Run HijackThis and check these entries, if still present:R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad1.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [cme] C:\WINDOWS\system32\cme.exe
O4 - HKLM\..\Run: [cmeupd] C:\WINDOWS\system32\cmeupd.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] C:\WINDOWS\system32\ddm_d.exe
O4 - HKLM\..\Run: [gmt] C:\WINDOWS\system32\gmt.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys1.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\m4ls0e37eh.dll

Also, if next entry is present in your hijackthislog (since you are in safe mode), check it as well:O4 - Global Startup: wupdmgr.exe
Close all open windows EXCEPT HijackThis and click Fix Checked. Close HijackThis.

7. Using Windows Explorer, search and remove, if present, these files/folders (only the ones in bold!):C:\WINDOWS\wupdmgr.exe !! Watch out here !! Don't delete wupdmgr.exe present in your C:\Windows\system32-folder and C:\Windows\system32\dllcache-folder!!!! Because these ones are legit/OK!

C:\Documents and Settings\All users\Start Menu\Programs\Startup\wupdmgr.exe <== normally this file should already be gone if you checked and fixed next entry in hijackthis: "O4 - Global Startup: wupdmgr.exe"

C:\Program Files\Common Files\VCClient => entire folder
c:\WINDOWS\system32\mtc.dll
c:\WINDOWS\system32\ddm_d.exe
c:\WINDOWS\system32\redirect.dll
c:\WINDOWS\system32\ddmp.dll
c:\WINDOWS\system32\sysu.exe
c:\WINDOWS\system32\dialer_activex.ocx
c:\WINDOWS\system32\cd_swf.dll
c:\WINDOWS\system32\cd_htm.dll
c:\WINDOWS\system32\cd_gif.dll
c:\WINDOWS\system32\cd_clint.dll
c:\WINDOWS\system32\iedriver.exexplore.exe
c:\WINDOWS\system32\cd_load.exe
c:\WINDOWS\system32\gmt.exe
c:\WINDOWS\system32\gator.exe
c:\WINDOWS\system32\cmeupd.exe
c:\WINDOWS\system32\cmesys.exe
c:\WINDOWS\system32\cme.exe
c:\WINDOWS\system32\systemwb.dll
c:\WINDOWS\system32\johnwb.dll
c:\WINDOWS\system32\bpkwb.dll
c:\WINDOWS\system32\wstart.dll
c:\WINDOWS\system32\tcpservice2.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\system32\m4ls0e37eh.dll
C:\keyboard1.exe
C:\mousepad1.exe
C:\gimmysmileys1.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\dpe.dll
c:\WINDOWS\adw.htm
C:\WINDOWS\security.html
8. Run CCleaner, click the Applications tab and select the following:Firefox/Mozilla:Cookies
Download history
Internet cache
Internet history
[/list]click the Windows tab and select the following:Internet Explorer:Temp Internet
History
Recently Typed URLs
Delete Index.dat files
System:Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data
Next: click Options, click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click OK
Then click Run Cleaner (bottom right), then Exit
[/list]9. Run Ewido anti-malware:
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
    • NOTE: During some scans with ewido it is finding cases of false positives.
      # This means you will need to step through the process of cleaning files one-by-one.
      # If ewido detects a file you KNOW to be legitimate, select none as the action.
      # DO NOT select "Perform action on all infections"
      # If you are unsure of any entry found select none for now.
  • When the scan finishes, click on "Save Report". This will create a text file. Save it to your Desktop.
9. Restart your computer in Normal Mode.

10. Please run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
11. Please post a new HijackThis log, the contents of C:\Look2Me-Destroyer.txt,
as well as the log from ewido and Panda.

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 chriswalker5

chriswalker5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 16 March 2006 - 09:24 AM

Thank you for the instructions. I will go through them today and post my results.

#5 chriswalker5

chriswalker5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 16 March 2006 - 02:23 PM

OK...I have run through everything and the popups have stopped. But the the panda scan came up with some things.


Thanks for your help.


Here is the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:12:18 PM, on 3/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Hummingbird\DM Extensions\papihost.exe
C:\Program Files\RightFax\FaxCtrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Hummingbird\DM Extensions\DM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\walkerc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PowerDOCSAPIHost] "C:\Program Files\Hummingbird\DM Extensions\papihost.exe"
O4 - HKLM\..\Run: [UniPrint] C:\PROGRA~1\UniPrint\Client\SetDfltSettings.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [CU2]
O4 - HKCU\..\Run: [CU1]
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {44C7F862-906C-11D3-A8ED-0008C75B3588} (IEPAPI Class) - http://fpdm1/cyberdocs/DMExtensions/papibrdg.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105371467040
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://fpdm1/cyberdocs/DMExtensions/deployment/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = phks.com
O17 - HKLM\Software\..\Telephony: DomainName = phks.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = phks.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = phks.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: PCDOCS - {EDC110E5-4CFB-4FEE-813A-BF796297030E} - C:\Program Files\Hummingbird\DM Extensions\PwDMoniker.DLL
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Unknown owner - C:\WINDOWS\System32\basfipm.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sweep for Windows NT Network (SWEEPNET) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Sweep for Windows NT Update (SWEEPUPDATE) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



Here is the Look2me-destroyer.txt



Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 3/16/2006 9:44:08 AM

Infected! C:\WINDOWS\system32\l26olcj31fo.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094865.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094914.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094997.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095036.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095067.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095112.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095154.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095212.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095254.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095528.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095567.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095604.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095607.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095620.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095706.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095784.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095822.dll
Infected! C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095825.dll
Infected! C:\windows\system32\aJaamon.dll
Infected! C:\windows\system32\dxlayx.dll
Infected! C:\windows\system32\i4jq0e15eh.dll
Infected! C:\windows\system32\iquv_32.dll
Infected! C:\windows\system32\krrnel32.dll
Infected! C:\windows\system32\l26olcj31fo.dll
Infected! C:\windows\system32\mdhgrcoi.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\l26olcj31fo.dll
C:\WINDOWS\system32\l26olcj31fo.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094865.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094865.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094914.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094914.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094997.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094997.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095036.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095036.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095067.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095067.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095112.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095112.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095154.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095154.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095212.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095212.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095254.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095254.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095528.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095528.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095567.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095567.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095604.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095604.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095607.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095607.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095620.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095620.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095706.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095706.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095784.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095784.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095822.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095822.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095825.dll
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095825.dll Deleted successfully!

Attempting to delete: C:\windows\system32\aJaamon.dll
C:\windows\system32\aJaamon.dll Deleted successfully!

Attempting to delete: C:\windows\system32\dxlayx.dll
C:\windows\system32\dxlayx.dll Deleted successfully!

Attempting to delete: C:\windows\system32\i4jq0e15eh.dll
C:\windows\system32\i4jq0e15eh.dll Deleted successfully!

Attempting to delete: C:\windows\system32\iquv_32.dll
C:\windows\system32\iquv_32.dll Deleted successfully!

Attempting to delete: C:\windows\system32\krrnel32.dll
C:\windows\system32\krrnel32.dll Deleted successfully!

Attempting to delete: C:\windows\system32\l26olcj31fo.dll
C:\windows\system32\l26olcj31fo.dll Deleted successfully!

Attempting to delete: C:\windows\system32\mdhgrcoi.dll
C:\windows\system32\mdhgrcoi.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{182A2E2E-5567-466C-8C82-7E9F9198AD0E}"
HKCR\Clsid\{182A2E2E-5567-466C-8C82-7E9F9198AD0E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D032374F-37B0-4464-931C-13016DEBAE79}"
HKCR\Clsid\{D032374F-37B0-4464-931C-13016DEBAE79}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{750AD349-BCAC-4D78-B353-CE13B772323A}"
HKCR\Clsid\{750AD349-BCAC-4D78-B353-CE13B772323A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F66681AD-D617-4189-9CE8-8847FA442D9D}"
HKCR\Clsid\{F66681AD-D617-4189-9CE8-8847FA442D9D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A9870682-EB40-4FC8-8179-7BA105A0700D}"
HKCR\Clsid\{A9870682-EB40-4FC8-8179-7BA105A0700D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EFF6C1C1-B95D-4EBA-BE52-1EABD6B7CF35}"
HKCR\Clsid\{EFF6C1C1-B95D-4EBA-BE52-1EABD6B7CF35}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded







Here is the ewido log


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:06:55 PM, 3/16/2006
+ Report-Checksum: A6437B19

+ Scan result:

C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.9:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.10:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup
:mozilla.20:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.21:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.22:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.23:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.24:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.25:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.26:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.27:C:\Documents and Settings\walkerc\Application Data\Mozilla\Firefox\Profiles\lgzsa3fa.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\walkerc\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-7e4442f4-1a071395.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\walkerc\Cookies\walkerc@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\walkerc\Cookies\walkerc@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\walkerc\Cookies\walkerc@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\walkerc\Cookies\walkerc@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\Cookies\walkerc@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\Cookies\walkerc@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\Cookies\walkerc@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\Cookies\walkerc@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\Cookies\walkerc@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\F0B2B.tmp/faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\i2E.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\temp.fr4493 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\temp.fr90E0 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\temp.frDB86 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temp\~dfte14.tmp -> Dropper.Agent.abu : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\M9TY7YTO\adv470[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\Q1U9MT69\kl[1].txt -> Logger.Small.dg : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\Q1U9MT69\mousepad1[1].exe -> Hijacker.VB.li : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\S1UV8TYV\tool2[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\S1UV8TYV\visfx500[1].exe -> Dropper.Agent.aie : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\S7ZVQOXH\loadadv728[1].exe -> Downloader.Small.ckj : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\WLUN09Q3\izgyxwa[1].cab/faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\WLUN09Q3\ZICORN001[1].exe -> Adware.ZenoSearch : Cleaned with backup
C:\krw1dn.exe -> Downloader.Agent.afi : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1.tmp -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp -> TrackingCookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> TrackingCookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> TrackingCookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrackingCookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Euniverseads : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp -> TrackingCookie.Linksynergy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2.tmp -> TrackingCookie.Linksynergy : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp -> TrackingCookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> TrackingCookie.Valueclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> TrackingCookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> TrackingCookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> TrackingCookie.Valueclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> TrackingCookie.247realmedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> TrackingCookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp -> TrackingCookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> TrackingCookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp -> TrackingCookie.Bfast : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> TrackingCookie.Commission-junction : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp -> TrackingCookie.Adtech : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp -> TrackingCookie.Adviva : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp -> TrackingCookie.Qksrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp -> TrackingCookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> TrackingCookie.Pro-market : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> TrackingCookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB.tmp -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> TrackingCookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp -> TrackingCookie.Pro-market : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp -> TrackingCookie.Hitbox : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP328\snapshot\MFEX-1.DAT -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP329\snapshot\MFEX-1.DAT -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094708.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094709.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094710.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094711.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094712.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094713.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094729.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094742.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094787.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094834.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094902.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094928.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0094965.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095012.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095037.exe -> Hijacker.VB.li : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095080.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095122.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095194.exe -> Downloader.VB.nw : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095195.exe -> Hijacker.VB.ij : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095196.exe -> Hijacker.VB.ij : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095199.dll -> Backdoor.Delf.aml : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095203.exe -> Downloader.Tiny.bm : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095204.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095206.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095207.exe -> Downloader.VB.ya : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095208.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095654.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095656.exe -> Adware.CashDeluxe : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095659.exe -> Downloader.VB.ur : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095863.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095864.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095865.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095866.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0095867.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\A0096137.exe -> Downloader.Small.ckc : Cleaned with backup
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP330\snapshot\MFEX-1.DAT -> Downloader.Small.ckc : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\windows\azesearch.bmp -> Adware.Azesearch : Cleaned with backup
C:\windows\drsmartload95a.exe -> Downloader.VB.ym : Cleaned with backup
C:\windows\kl1.exe -> Logger.Small.dg : Cleaned with backup
C:\windows\loadadv728.exe -> Downloader.Small.ckj : Cleaned with backup
C:\windows\system32\faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\windows\system32\mswinf32.dll -> Not-A-Virus.Hoax.Win32.VB.j : Cleaned with backup
C:\windows\system32\mswinf32.exe -> Not-A-Virus.Hoax.Win32.VB.j : Cleaned with backup
C:\windows\system32\VN5DB.DLL -> Adware.Look2Me : Cleaned with backup
C:\windows\system32\w9seq.dll -> Adware.Suggestor : Cleaned with backup
C:\windows\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\windows\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End





Here is the Panda log





Incident Status Location

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@adopt.hbmediapro[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@dist.belnk[2].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@targetsaver[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@winfixer[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\walkerc\Local Settings\Temp\Cookies\walkerc@adopt.hbmediapro[2].txt
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\Q5WZ2NOL\tool1[1].txt
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\S1UV8TYV\tool5[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected C:\keyboard2.exe
Spyware:Cookie/Bilbo.counted Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp
Spyware:Cookie/Clickbank Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq108.tmp
Spyware:Cookie/FindtheWebsiteYouNeed Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq109.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10A.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10D.tmp
Spyware:Cookie/HotLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10E.tmp
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq111.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp
Spyware:Cookie/Bilbo.counted Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp
Spyware:Cookie/Findwhat Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq65.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67.tmp
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp
Spyware:Cookie/onestat.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq72.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75.tmp
Spyware:Cookie/SpyLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7C.tmp
Spyware:Cookie/Hitbox

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:49 AM

Posted 16 March 2006 - 05:14 PM

Hello chriswalker5,

That looks so much better. :thumbsup:
It however looks like the Panda log isn't complete?

Now to clean up leftovers:

1. Run HijackThis and check these entries, if still present:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll (file missing)
O4 - HKCU\..\Run: [CU2]
O4 - HKCU\..\Run: [CU1]
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll

Close all open windows EXCEPT HijackThis, and click Fix Checked. Close HijackThis.

2. Using Windows Explorer, search and remove, if present, this file (only the one in bold!):C:\keyboard2.exe
C:\windows\system32\azebar.xml
C:\windows\system32\loader.exe
C:\windows\uniq
Delete the entire content, not the folder itself, of C:\Program Files\Yahoo!\YPSR\Quarantine

3. Go to "Start" -> "Run" and type in the box: cleanmgr. Let it scan your system for files to remove.
Select All and then press "Ok" to remove.

Clean your IE cookies and cache:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
4. Please post a new HijackThis log, and the complete Panda log.

Greetings,
BMThor

Edited by BMThor, 17 March 2006 - 03:23 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 chriswalker5

chriswalker5
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 16 March 2006 - 06:27 PM

I'm sorry, i didn't realize that i pasted an incomplete panda log. Here is the complete log. I have also noticed that when I start the computer now, an internet explorer window pops up of the C:/windows/system32 folder. It's not a problem as far as I can tell, but thought I would let you know. I will run those fixes tonight and post the results.

Thanks so much for your help....really appreciate it.





Incident Status Location

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@adopt.hbmediapro[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@dist.belnk[2].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@targetsaver[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\walkerc\Cookies\walkerc@winfixer[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\walkerc\Local Settings\Temp\Cookies\walkerc@adopt.hbmediapro[2].txt
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\Q5WZ2NOL\tool1[1].txt
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Content.IE5\S1UV8TYV\tool5[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\walkerc\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected C:\keyboard2.exe
Spyware:Cookie/Bilbo.counted Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq107.tmp
Spyware:Cookie/Clickbank Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq108.tmp
Spyware:Cookie/FindtheWebsiteYouNeed Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq109.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10A.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10D.tmp
Spyware:Cookie/HotLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10E.tmp
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq111.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp
Spyware:Cookie/Bilbo.counted Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp
Spyware:Cookie/Findwhat Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq65.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq67.tmp
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp
Spyware:Cookie/onestat.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq72.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp
Spyware:Cookie/Sextracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75.tmp
Spyware:Cookie/SpyLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7C.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7E.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7F.tmp
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq81.tmp
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq84.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq87.tmp
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89.tmp
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8F.tmp\Uninstall.exe
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq95.tmp
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA5.tmp
Adware:Adware/SpySheriff Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAD.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAF.tmp
Adware:Adware/AzeSearch Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqEE.tmp
Adware:adware/azesearch Not disinfected C:\windows\system32\azebar.xml
Virus:Trj/Downloader.HYC Not disinfected C:\windows\system32\loader.exe
Adware:adware/cws.searchmeup Not disinfected C:\windows\uniq

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:49 AM

Posted 17 March 2006 - 03:26 AM

That's fine chriswalker5,

I've slightly adjusted the cleanup fix in accordance to the complete Panda log you now posted. :thumbsup:

Greetings,
BMThor
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users