Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis Log


  • This topic is locked This topic is locked
15 replies to this topic

#1 El_Kabong

El_Kabong

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 06 April 2006 - 02:03 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:00:09 PM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nakido.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\e6tw76cpw.exe
C:\WINDOWS\CheckS02.exe
C:\WINDOWS\ms043307981288.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ngshy.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,xbalkdj.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [w00cbe25.dll] RUNDLL32.EXE w00cbe25.dll,I2 0001a0b5000cbe25
O4 - HKLM\..\Run: [{A5-5E-E2-2E-ZN}] C:\WINDOWS\system32\dwdsregt.exe CORN002
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [ms043307981288] C:\WINDOWS\ms043307981288.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\wyoopp.exe reg_run
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144248561203
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\m4280efueh280.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\mv42l9ho1.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\system32\nakido.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SMSDMQH - Sysinternals - www.sysinternals.com - C:\WINDOWS\TEMP\SMSDMQH.exe
O23 - Service: XHVP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\stupid\LOCALS~1\Temp\XHVP.exe



thanks :thumbsup:

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:49 PM

Posted 07 April 2006 - 09:52 PM

Hello El_Kabong,

You have the latest qoologic infection. :thumbsup:

The bad thing about this infection is that we have to get all the files in one shot, ohterwise it respawns immediately.

Please download FindQool by LonnyRJones:
http://downloads.subratam.org/Lon/FindQool.zip

* Extract the files and place the FindQool folder in root. Usually C:\
* Open the folder and run Qlocate.bat.
* Post the contents of the run Qlocate.bat.
* Post the contents of the txt.log which will open and a fresh Hijackthis log.

Edited by SifuMike, 07 April 2006 - 09:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 El_Kabong

El_Kabong
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 10 April 2006 - 01:48 PM

thanks for the reply.

here's the Qlocate.bat log:
nown file names
C:\WINDOWS\UNWN.EXE

MD5 Check....
C:\WINDOWS\system32\ctqgl.dat
C:\WINDOWS\system32\wwcdax.exe
C:\WINDOWS\system32\ngshy.exe
C:\WINDOWS\system32\debdqgu.dll
C:\WINDOWS\system32\xbalkdj.exe

Files found with locate com.
C:\WINDOWS\SYSTEM32\XBALKDJ.EXE
C:\WINDOWS\SYSTEM32\DEBDQGU.DLL
C:\WINDOWS\SYSTEM32\CTQGL.DAT
C:\WINDOWS\SYSTEM32\WWCDAX.EXE
C:\WINDOWS\SYSTEM32\NGSHY.EXE
C:\WINDOWS\RECCT.DLL
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\PENEG.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
04/01/2006 09:18 AM 127,488 peneg.exe
...

HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{4abf810a-f11d-4169-9d5f-7d274f2270a1}
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkkmmyx]
@="{750cfe56-9f4e-40d3-b30b-b2a0bcf50d19}"


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"vnguyv"="C:\\WINDOWS\\system32\\wwcdax.exe reg_run"
HKCU
"sknvb"="C:\\WINDOWS\\system32\\wwcdax.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\ngshy.exe
userinit REG_SZ C:\WINDOWS\system32\Userinit.exe,xbalkdj.exe
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 4/05/2006
----------------------------------------------

and a hijack this right after:
Logfile of HijackThis v1.99.1
Scan saved at 2:45:15 PM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nakido.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\e6tw76cpw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ngshy.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,xbalkdj.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [w00cbe25.dll] RUNDLL32.EXE w00cbe25.dll,I2 0001a0b5000cbe25
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [ms043307981288] C:\WINDOWS\ms043307981288.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinsrag.exe CORN002
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinsrag.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144248561203
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\m4280efueh280.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\mv42l9ho1.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\system32\nakido.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SMSDMQH - Unknown owner - C:\WINDOWS\TEMP\SMSDMQH.exe (file missing)
O23 - Service: XHVP - Unknown owner - C:\DOCUME~1\stupid\LOCALS~1\Temp\XHVP.exe (file missing)

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:49 PM

Posted 10 April 2006 - 04:15 PM

Hello El_Kabong,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.


Please download Download Pocket Killbox version 2.0.0.175 http://www.atribune.org/downloads/KillBox.exe Don't run it yet.
If you already have Killbox first ensure it is this version !

Killbox tutorial: http://forum.malwareremoval.com/viewtopic.php?t=320

Please download Ewido AntiMalware at http://www.ewido.net/en/download/.

1. Install Ewido AntiMalware.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

****************************************

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Run a scan in HijackThis. With all windows (including this one!) closed (close browser/explorer windows),
Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ngshy.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,xbalkdj.exe
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [w00cbe25.dll] RUNDLL32.EXE w00cbe25.dll,I2 0001a0b5000cbe25
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [ms043307981288] C:\WINDOWS\ms043307981288.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinsrag.exe CORN002
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinsrag.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)


If you did not install PartyPoker, then fix it.
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)


O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\m4280efueh280.dll (file missing)
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\mv42l9ho1.dll (file missing)
O23 - Service: Nakido - Unknown owner - C:\WINDOWS\system32\nakido.exe
O23 - Service: SMSDMQH - Unknown owner - C:\WINDOWS\TEMP\SMSDMQH.exe (file missing)
O23 - Service: XHVP - Unknown owner - C:\DOCUME~1\stupid\LOCALS~1\Temp\XHVP.exe (file missing)


****************************************

Click killbox.exe.
put a checkmark in "End Explorer Shell While Killing File".
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next part:

C:\WINDOWS\system32\nakido.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\system32\e6tw76cpw.exe
C:\WINDOWS\SYSTEM32\XBALKDJ.EXE
C:\WINDOWS\SYSTEM32\DEBDQGU.DLL
C:\WINDOWS\SYSTEM32\CTQGL.DAT
C:\WINDOWS\SYSTEM32\WWCDAX.EXE
C:\WINDOWS\SYSTEM32\NGSHY.EXE
C:\WINDOWS\RECCT.DLL
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\PENEG.EXE
C:\WINDOWS\system32\OUGHYA~1.DLL
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\system32\w00cbe25.dll
C:\WINDOWS\CheckS02.exe
 C:\WINDOWS\ms043307981288.exe
C:\WINDOWS\system32\qwinsrag.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

****************************************

Boot to the Safe Mode, open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
Exit Ewido when it's done.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

****************************************


CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.
Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.


****************************************


Open the folder and run Qlocate.bat.
* Post the contents of the run Qlocate.bat.
* Post the contents of the txt.log which will open.

****************************************

Reboot your computer to the Normal Mode, post a fresh Hijackthis log, txt.log from Qlocate.bat, the Ewido log, and tell me how your computer is running.

Edited by SifuMike, 10 April 2006 - 04:26 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 El_Kabong

El_Kabong
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 11 April 2006 - 12:56 PM

thanks so much, SifuMike!

here's the hijackthis! log:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ngshy.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xbalkdj.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vnguyv] C:\WINDOWS\system32\wwcdax.exe reg_run
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [sknvb] C:\WINDOWS\system32\wwcdax.exe reg_run
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinsrag.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144248561203
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\m8ju0i19e8.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

----------------------------------------------------------------------------

here's the Qlocate.bat one:
Tue 04/11/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Known file names
C:\WINDOWS\UNWN.EXE

MD5 Check....
C:\WINDOWS\system32\__delete_on_reboot__dmonwv.dll

Files found with locate com.
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
...

HKEY_LOCAL_MACHINE\software\qstat
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\webnexus
HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6}
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgkkmmyx]
@="{750cfe56-9f4e-40d3-b30b-b2a0bcf50d19}"


...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
"vnguyv"="C:\\WINDOWS\\system32\\wwcdax.exe reg_run"
HKCU
"sknvb"="C:\\WINDOWS\\system32\\wwcdax.exe reg_run"
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ Explorer.exe, C:\WINDOWS\system32\ngshy.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,xbalkdj.exe
-------------------------------------------------------------------------------------------

and the Ewido log:
+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6001CDF7-6F45-471b-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Error during cleaning
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Adware.MediaMotor : Error during cleaning
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Error during cleaning
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Error during cleaning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6001CDF7-6F45-471b-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
[668] C:\WINDOWS\system32\rnvpsp.dll -> Adware.Look2Me : Error during cleaning
[800] C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
[952] C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Error during cleaning
C:\!KillBox\ctqgl.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\!KillBox\qwinsrag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\!KillBox\slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\!KillBox\w00cbe25.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\ac2_0003.exe -> Downloader.Small.cpu : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ukoucvmm.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@ad.yieldmanager[4].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@ad.yieldmanager[5].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@ad.yieldmanager[6].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@chicagosuntimes.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@e-2dj6wgliejc5efp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@e-2dj6wjkoqkazkko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@tgn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Cookies\christie hamilton@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Desktop\full.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Desktop\New Folder\delete.txt -> Downloader.Agent.agw : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\f13278375.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\full.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\loadadv640.exe -> Downloader.Harnig.bc : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\q2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\q6.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\tp7543.exe -> Downloader.Qoologic.ax : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\xxx1.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\z2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temporary Internet Files\Content.IE5\2X465B9N\full[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temporary Internet Files\Content.IE5\2X465B9N\newname10[1].exe -> Downloader.Adload.ae : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temporary Internet Files\Content.IE5\2X465B9N\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temporary Internet Files\Content.IE5\EZBA7X44\keyboard10[1].exe -> Downloader.Adload.am : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temporary Internet Files\Content.IE5\GQNFVOOD\!update-3620[1].0000 -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temporary Internet Files\Content.IE5\GQNFVOOD\full[1].exe -> Dropper.Agent.hl : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\KIDS\Cookies\kids@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\KIDS\Local Settings\Temporary Internet Files\Content.IE5\NCV9ED1G\newname7[1].exe -> Downloader.Adload.ae : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.7:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.9:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.10:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.11:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.18:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.22:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.23:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.24:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.25:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.30:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.31:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.32:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.33:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.36:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.37:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.38:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.40:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.44:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.45:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.47:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.49:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.50:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.51:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.52:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.53:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.54:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.55:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.56:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.57:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.58:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.59:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.60:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.61:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.62:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.67:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.68:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.69:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.75:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.93:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.94:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.95:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.96:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.97:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.98:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.99:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.100:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.101:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.102:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.104:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.105:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.106:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.108:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.124:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.125:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.126:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.127:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.128:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.129:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.130:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.131:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.141:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.142:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.143:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.144:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.145:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.146:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.147:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.148:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.149:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.150:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.151:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.157:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.158:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.159:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.163:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.164:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.165:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.166:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.167:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.168:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.169:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.170:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.171:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.177:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.178:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.179:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.180:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.181:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.182:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.183:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.186:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.189:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.190:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.196:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.197:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.198:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.203:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.204:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.205:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.206:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.207:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.210:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.211:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.228:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.229:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.230:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.235:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.236:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.241:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.242:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.256:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-1.txt -> TrackingCookie.Epilot : Cleaned with backup
:mozilla.6:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.18:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.20:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.22:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.31:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.35:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.36:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.37:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.38:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.43:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.44:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.45:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.46:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.47:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.48:C:\Documents and Settings\stupid\Application Data\Mozilla\Firefox\Profiles\dtqcwzbq.default\cookies-2.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.49:C:\Documents and Settings\stupid\Application

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:49 PM

Posted 11 April 2006 - 04:15 PM

Hello El_Kabong,

This computer is still quite a mess. :thumbsup: I see a look2me infection, plus several others. We will go after the Look2me infection first.


Please download Look2Me-Destroyer.exe to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.

Put a check next to Run this program as a task.

You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK

When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.

Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.

When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.

Your computer will then shutdown.
Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

************************

Let's see what the latest ewido scan will show.

Run Ewido in the Safe Mode.
To get to the Safe Mode, tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Please post the contents of C:\Look2Me-Destroyer.txt, the Ewido report .txt and a new HiJackThis log.

Edited by SifuMike, 11 April 2006 - 04:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 El_Kabong

El_Kabong
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 12 April 2006 - 10:28 AM

ok, thanks, i have been having so much trouble lately. here's the look2medestroyer log:
Infected! C:\WINDOWS\system32\jt0u07d9e.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0025814.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027885.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027900.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027904.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027973.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0028003.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0029060.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030060.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030068.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030130.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030199.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0031199.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0032215.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0033226.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP59\A0033274.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0033643.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0033655.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034641.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034642.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034650.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034675.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034681.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034690.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0035683.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0035690.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036688.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036692.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036701.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036705.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036706.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036727.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036729.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036732.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036743.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036994.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037736.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037737.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037755.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037758.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037775.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037792.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037794.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037797.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037890.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037932.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037933.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037945.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0038993.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0038997.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0040082.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0040086.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0041177.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0041181.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042179.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042180.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042183.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042184.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042190.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042191.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042192.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042193.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042214.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042215.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042217.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042218.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042228.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042232.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042243.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042484.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043226.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043227.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043245.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043248.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043260.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043262.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043264.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043265.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043286.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043288.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043289.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043293.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP65\A0043535.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP65\A0044539.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044800.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044801.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044830.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044832.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP69\A0044875.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP69\A0044876.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0044905.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0044953.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045017.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045039.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045040.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049584.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049585.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049586.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049588.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049589.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049590.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049592.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049593.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049594.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049595.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049596.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049597.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049598.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049599.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049600.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049601.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049602.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049603.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049604.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049605.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049606.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049607.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049608.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049609.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049610.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049611.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049612.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049616.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049618.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049619.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049621.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049623.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049645.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049672.dll
Infected! C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049680.dll
Infected! C:\WINDOWS\system32\jt0u07d9e.dll
Infected! C:\WINDOWS\system32\ktnul7591.dll
Infected! C:\WINDOWS\system32\m8ju0i19e8.dll
Infected! C:\WINDOWS\system32\nKrrhook.dll
Infected! C:\WINDOWS\system32\rnvpsp.dll
Infected! C:\WINDOWS\system32\salwid.dll
Infected! C:\WINDOWS\system32\t48ulel91hq.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\jt0u07d9e.dll
C:\WINDOWS\system32\jt0u07d9e.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0025814.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0025814.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027885.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027885.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027900.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027900.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027904.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027904.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027973.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0027973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0028003.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0028003.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0029060.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0029060.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030060.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030060.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030068.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030068.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030130.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030130.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030199.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0030199.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0031199.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0031199.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0032215.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0032215.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0033226.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP57\A0033226.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP59\A0033274.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP59\A0033274.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0033643.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0033643.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0033655.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0033655.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034641.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034641.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034642.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034642.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034650.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP60\A0034650.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034675.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034675.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034681.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034681.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034690.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0034690.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0035683.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0035683.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0035690.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0035690.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036688.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036688.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036692.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036692.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036701.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP62\A0036701.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036705.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036705.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036706.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036706.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036727.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036727.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036729.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036729.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036732.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036732.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036743.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036743.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036994.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0036994.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037736.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037736.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037737.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037737.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037755.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037755.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037758.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037758.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037775.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037775.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037792.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037792.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037794.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037794.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037797.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037797.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037890.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037890.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037932.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037932.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037933.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037933.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037945.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0037945.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0038993.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0038993.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0038997.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0038997.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0040082.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0040082.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0040086.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0040086.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0041177.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0041177.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0041181.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP63\A0041181.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042179.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042179.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042180.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042180.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042183.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042183.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042184.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042184.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042190.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042190.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042191.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042191.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042192.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042192.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042193.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042193.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042214.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042214.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042215.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042215.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042217.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042217.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042218.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042218.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042228.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042228.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042232.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042232.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042243.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042243.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042484.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0042484.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043226.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043226.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043227.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043227.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043245.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043245.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043248.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043248.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043260.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043260.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043262.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043262.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043264.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043264.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043265.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043265.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043286.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043286.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043288.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043288.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043289.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043289.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043293.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP64\A0043293.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP65\A0043535.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP65\A0043535.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP65\A0044539.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP65\A0044539.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044800.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044800.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044801.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044801.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044830.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044830.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044832.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP67\A0044832.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP69\A0044875.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP69\A0044875.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP69\A0044876.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP69\A0044876.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0044905.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0044905.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0044953.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0044953.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045017.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045017.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045039.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045039.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045040.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP70\A0045040.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049584.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049584.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049585.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049585.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049586.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049586.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049588.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049588.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049589.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049589.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049590.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049590.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049592.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049592.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049593.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049593.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049594.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049594.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049595.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049595.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049596.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049596.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049597.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049597.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049598.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049598.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049599.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049599.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049600.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049600.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049601.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049601.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049602.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049602.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049603.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049603.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049604.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049604.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049605.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049605.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049606.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049606.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049607.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049607.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049608.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049608.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049609.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049609.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049610.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049610.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049611.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049611.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049612.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049612.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049616.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049616.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049618.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049618.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049619.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049619.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049621.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049621.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049623.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049623.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049645.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049645.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049672.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049672.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049680.dll
C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP77\A0049680.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jt0u07d9e.dll
C:\WINDOWS\system32\jt0u07d9e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktnul7591.dll
C:\WINDOWS\system32\ktnul7591.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\m8ju0i19e8.dll
C:\WINDOWS\system32\m8ju0i19e8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nKrrhook.dll
C:\WINDOWS\system32\nKrrhook.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rnvpsp.dll
C:\WINDOWS\system32\rnvpsp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\salwid.dll
C:\WINDOWS\system32\salwid.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\t48ulel91hq.dll
C:\WINDOWS\system32\t48ulel91hq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5321926A-6066-4DAB-ABE9-66254F62E204}"
HKCR\Clsid\{5321926A-6066-4DAB-ABE9-66254F62E204}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4E59E047-DD32-46E7-8D6E-5962D99BF2D9}"
HKCR\Clsid\{4E59E047-DD32-46E7-8D6E-5962D99BF2D9}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{06B0462A-E511-4FF0-85F6-EEB59C75B264}"
HKCR\Clsid\{06B0462A-E511-4FF0-85F6-EEB59C75B264}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{128E818F-DEC5-4AC5-82D1-30A4014591F2}"
HKCR\Clsid\{128E818F-DEC5-4AC5-82D1-30A4014591F2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BF9692EC-FA91-4E71-A0A4-5E4EFD8684C7}"
HKCR\Clsid\{BF9692EC-FA91-4E71-A0A4-5E4EFD8684C7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{05044BBF-67EE-425D-A6E0-7CCB21E77C4E}"
HKCR\Clsid\{05044BBF-67EE-425D-A6E0-7CCB21E77C4E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B85FB7DC-778D-4BF7-812F-666A989FFABD}"
HKCR\Clsid\{B85FB7DC-778D-4BF7-812F-666A989FFABD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CF3626C8-A7C5-4ACC-859A-054EC8F9566B}"
HKCR\Clsid\{CF3626C8-A7C5-4ACC-859A-054EC8F9566B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{07288AD6-7A59-40B4-B3B4-78167099C68C}"
HKCR\Clsid\{07288AD6-7A59-40B4-B3B4-78167099C68C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F0C190BF-D2D3-4B5D-A95F-DA05CA33752E}"
HKCR\Clsid\{F0C190BF-D2D3-4B5D-A95F-DA05CA33752E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EA7950D9-67F4-4831-BB2F-5E7F00FD6F1B}"
HKCR\Clsid\{EA7950D9-67F4-4831-BB2F-5E7F00FD6F1B}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
--------------------------------------------------------------------------

the ewido log:
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Error during cleaning
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Adware.E2G : Error during cleaning
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Adware.MediaMotor : Error during cleaning
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj -> Adware.WebHancer : Error during cleaning
HKLM\SOFTWARE\Classes\WhIeHelperObj.WhIeHelperObj.1 -> Adware.WebHancer : Error during cleaning
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Cookies\christie hamilton@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Christie Hamilton\Local Settings\Temp\Temporary Internet Files\Content.IE5\0BA5WTOZ\loadex[1].exe -> Downloader.Agent.aie : Cleaned with backup
C:\Documents and Settings\KIDS\Local Settings\Temp\Cookies\kids@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\KIDS\Local Settings\Temp\Cookies\kids@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\KIDS\Local Settings\Temp\Cookies\kids@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\KIDS\Local Settings\Temp\Cookies\kids@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\KIDS\Local Settings\Temp\Cookies\kids@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\KIDS\Local Settings\Temp\Cookies\kids@project2.realtracker[2].txt -> TrackingCookie.Realtracker : Cleaned with backup
C:\Documents and S

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:49 PM

Posted 12 April 2006 - 01:47 PM

Hi El_Kabong,

You forgot to post the Hijackthis log. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 El_Kabong

El_Kabong
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 12 April 2006 - 02:56 PM

doh! sorry. here it is
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsavgui.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsavaui.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ngshy.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xbalkdj.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vnguyv] C:\WINDOWS\system32\wwcdax.exe reg_run
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [sknvb] C:\WINDOWS\system32\wwcdax.exe reg_run
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144248561203
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:49 PM

Posted 12 April 2006 - 04:05 PM

Hi El_Kabong,

We are making progress. :thumbsup: The Look2Me infection is gone. Now we tackle the others.

Download LSP - Fix

Run LSP-Fix.
Check the Box labeled "I know what I'm doing" and then click on the winsflt.dll file (in the “Keep” section) to select it.
Then, Select the >> button to move winsflt.dll into the Remove section.
Now, click the Finish Button.
When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.


**********************************

Please run a scan with HijackThis and check the following objects for removal:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ngshy.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xbalkdj.exe
O4 - HKLM\..\Run: [vnguyv] C:\WINDOWS\system32\wwcdax.exe reg_run
O4 - HKCU\..\Run: [sknvb] C:\WINDOWS\system32\wwcdax.exe reg_run


Now close ALL other open windows except for HijackThis and hit FIX CHECKED.

Please reboot.

**********************************

Please copy the following text in the codebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Killqoo.reg to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\System32\\userinit.exe,xbalkdj.exe"

Now double-click on the Killqoo.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

**********************************

Run Killbox and select the below files (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose File > Paste from Clipboard.
All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there).
If each file exists, it will appear in blue under that window when you click on it.

Click on Delete on Reboot.
Click on All Files
Click on End Explorer Shell While Killing File

You will get a message saying "File with be deleted on next reboot, click "Yes".
Process and Reboot now?" Click "Yes" to reboot.

C:\WINDOWS\system32\xbalkdj.exe
C:\WINDOWS\system32\ngshy.exe
C:\WINDOWS\system32\wwcdax.exe
C:\WINDOWS\system32\qwinsrag.exe

Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!). If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post back with a fresh HijackThis log.

Edited by SifuMike, 12 April 2006 - 04:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 El_Kabong

El_Kabong
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 12 April 2006 - 05:48 PM

2 quick things...

-the reg file didn't promtmefor anything...it saved as a registry file w/ the icon and everything but the hour glass came up then opened upwordpad

and when i copy the 4 files and hit paste from clipboard it leaves the box empty...if i tryjust a paste it only pastes the top one...word keeps freezing up on me so i can't copy it all to the clipboard that way...

but here's a new hijackthis log stopping before the killbox instructions

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144248561203
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

Edited by El_Kabong, 12 April 2006 - 05:53 PM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:49 PM

Posted 12 April 2006 - 05:57 PM

You can bypass the reg file.

and when i copy the 4 files and hit paste from clipboard it leaves the box empty...if i tryjust a paste it only pastes the top one...word keeps freezing up on me so i can't copy it all to the clipboard that way...


You did this same Killbox previously so it should work OK now.

Do this then continue with the rest of the fix.

Click killbox.exe.
put a checkmark in "End Explorer Shell While Killing File".
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next part:

C:\WINDOWS\system32\xbalkdj.exe
C:\WINDOWS\system32\ngshy.exe
C:\WINDOWS\system32\wwcdax.exe
C:\WINDOWS\system32\qwinsrag.exe


Open 'file' in the killbox menu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

then continue with the rest of the fix.

Edited by SifuMike, 12 April 2006 - 06:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:49 PM

Posted 12 April 2006 - 06:05 PM

Did you delete the files with Killbox? :thumbsup:


If you cant get the cut and paste to work properly, then do it like this:

Run Killbox program, in the field labeled "Full Path of File to Delete" enter (or copy and paste)

C:\WINDOWS\system32\xbalkdj.exe

put a checkmark in "End Explorer Shell While Killing File",select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, press the No button

Repeat with these:
C:\WINDOWS\system32\ngshy.exe
C:\WINDOWS\system32\wwcdax.exe


For last file In the field labeled "Full Path of File to Delete" enter (or copy and paste)
C:\WINDOWS\system32\qwinsrag.exe

put a checkmark in "End Explorer Shell While Killing File", select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, this time press Yes button

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Then post a fresh Hijackthis log and tell me how your computer is running.

Edited by SifuMike, 12 April 2006 - 06:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 El_Kabong

El_Kabong
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 13 April 2006 - 06:48 AM

ok, i was able to do them one by one...here's the new hijackthis log

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins005.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144248561203
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1441/ftp...23/cpbrkpie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:49 PM

Posted 13 April 2006 - 11:02 AM

Hi El_Kabong,

That is one clean log. :thumbsup:

Lets clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users