Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Surf Side Kick 3 And Others.


  • This topic is locked This topic is locked
17 replies to this topic

#1 Capthxc

Capthxc

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 06 June 2006 - 03:47 PM

Hello, i have been having these problems for quite some time but i just recently found your forum. The types of problems im having include: Having a pop-up browser as part of my wall paper. Computer will run slower at times, random pop up messages without an actual browser window, such as messages saying to click yes to continue on to party poker, wall paper tends to turn all white at times. Whenever i run Ad aware and spybot it tells me it cannot remove surf side kick and command services. Most of the problems come back when i restart my computer as well. I have tried using add/remove programs for surf side kick and it does not show up. I have also tried running those programs in safe mode but i still have the same problems. I applogize for any inconvinence, and any help is appreciated. My HJT logfile will be pasted below. Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 4:06:24 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\jdxcenc.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\win32091-86630589.exe
C:\WINDOWS\ms065891-86630.exe
C:\WINDOWS\awtkumvA.exe
C:\WINDOWS\errorhandler.exe
C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
C:\WINDOWS\jglwgfqA.exe
C:\WINDOWS\srvdaaryco.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\??curity\s?chost.exe
C:\Program Files\BigFix\BigFix.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\WNSXS~1\fast.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uaexd.exe
F2 - REG:system.ini: UserInit=userinit.exe,gvkcoau.exe
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [jdxcenc] C:\WINDOWS\jdxcenc.EXE
O4 - HKLM\..\Run: [2s3h38O] conacc.exe
O4 - HKLM\..\Run: [yvrbpmj] C:\WINDOWS\yvrbpmj.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [win32091-86630589] C:\WINDOWS\win32091-86630589.exe
O4 - HKLM\..\Run: [ms065891-86630] C:\WINDOWS\ms065891-86630.exe
O4 - HKLM\..\Run: [awtkumvA] C:\WINDOWS\awtkumvA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [w1d7513a.dll] RUNDLL32.EXE w1d7513a.dll,I2 000df09201d7513a
O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [{D3-38-89-9D-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [jglwgfqA] C:\WINDOWS\jglwgfqA.exe
O4 - HKLM\..\Run: [srvdaaryco] C:\WINDOWS\srvdaaryco.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [mcdsmo] C:\WINDOWS\system32\mcdsmo.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\system32\WNSXS~1\fast.exe" -vt yazr
O4 - HKCU\..\Run: [Bxxwmep] C:\Program Files\Common Files\??curity\s?chost.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\pjdsregm.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\g4jole131h.dll (file missing)
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\uzp10.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 06 June 2006 - 08:22 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Posted Image
  • Download and run - bfu.zip
  • Checkmark the following boxes:
    • Use settings specified in script for the above option
    • Show log after script ends
  • Click the Web button located on the top right corner
  • Copy/Paste this url into the address bar of the Download script window:

    http://metallica.geekstogo.com/alcanshorty.bfu

  • Execute the script by clicking the Execute button.
  • When it finishes running, click the Save button for a copy of the log
  • Post the log created by the script when you have completed the fix
* * * * * *


Download this file - combofix.zip
From within it, double click on combo.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


* * * * * *ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download Dr.Web CureIt & save it on desktop. We shall be using it later

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - (no file)
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [jdxcenc] C:\WINDOWS\jdxcenc.EXE
O4 - HKLM\..\Run: [2s3h38O] conacc.exe
O4 - HKLM\..\Run: [yvrbpmj] C:\WINDOWS\yvrbpmj.EXE
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CheckS02.exe
O4 - HKLM\..\Run: [win32091-86630589] C:\WINDOWS\win32091-86630589.exe
O4 - HKLM\..\Run: [ms065891-86630] C:\WINDOWS\ms065891-86630.exe
O4 - HKLM\..\Run: [awtkumvA] C:\WINDOWS\awtkumvA.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [w1d7513a.dll] RUNDLL32.EXE w1d7513a.dll,I2 000df09201d7513a
O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
O4 - HKLM\..\Run: [{D3-38-89-9D-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [jglwgfqA] C:\WINDOWS\jglwgfqA.exe
O4 - HKLM\..\Run: [srvdaaryco] C:\WINDOWS\srvdaaryco.exe
O4 - HKCU\..\Run: [mcdsmo] C:\WINDOWS\system32\mcdsmo.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\system32\WNSXS~1\fast.exe" -vt yazr
O4 - HKCU\..\Run: [Bxxwmep] C:\Program Files\Common Files\??curity\s?chost.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\pjdsregm.exe



* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • NavExcel
    PurityScan \ SnowBallwars by OIN (or any programs by OIN)
    Armor2net
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\WINDOWS\jdxcenc.EXE
    C:\WINDOWS\win32091-86630589.exe
    C:\WINDOWS\ms065891-86630.exe
    C:\WINDOWS\awtkumvA.exe
    C:\WINDOWS\errorhandler.exe
    C:\WINDOWS\jglwgfqA.exe
    C:\WINDOWS\srvdaaryco.exe
    C:\Program Files\NavExcel\
    C:\WINDOWS\system32\exp
    c:\windows\system32\conacc.exe
    C:\WINDOWS\yvrbpmj.EXE
    C:\WINDOWS\CheckS02.exe
    c:\windows\system32\w1d7513a.dl
    C:\Program Files\Armor2net\
    c:\windows\system32\dwdsregt.exe
    C:\WINDOWS\system32\mcdsmo.exe
    C:\WINDOWS\system32\irssyncd.exe
    C:\WINDOWS\system32\pjdsregm.exe
    C:\Program Files\Common Files\??curity\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Delete Cookies
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING DR. WEB * * * * * * * * * * * * * * * *
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
** The scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Perform an online scan with Internet Explorer with Panda ActiveScan
  • Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  • Click Scan Now
  • Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • ComboFix
  • DrWeb
  • Online Scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#3 Capthxc

Capthxc
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 07 June 2006 - 04:37 PM

I applogize for taking so long to reply but here are the results

1)Was unable to run combofix, it gave me an error message about msdos and froze my PC.

2)Was unable to locate the following files/folders to delete:

C:\WINDOWS\jdxcenc.EXE
C:\WINDOWS\awtkumvA.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\jglwgfqA.exe
C:\Program Files\NavExcel\
C:\WINDOWS\system32\exp
c:\windows\system32\conacc.exe
C:\WINDOWS\yvrbpmj.EXE
C:\WINDOWS\CheckS02.exe
c:\windows\system32\w1d7513a.dl
c:\windows\system32\dwdsregt.exe X
C:\WINDOWS\system32\mcdsmo.exe X
C:\WINDOWS\system32\irssyncd.exe
C:\WINDOWS\system32\pjdsregm.exe X
C:\Program Files\Common Files\??curity\ X

3)Browser window in wallpaper is now gone

4)Here are the following logs you requested.

Logfile of HijackThis v1.99.1
Scan saved at 5:27:13 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\WNSXS~1\fast.exe
C:\Program Files\Common Files\??curity\s?chost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uaexd.exe
F2 - REG:system.ini: UserInit=userinit.exe,gvkcoau.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmsdbn.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [eiqlds] C:\WINDOWS\system32\eqmteu.exe reg_run
O4 - HKLM\..\Run: [w1d7513a.dll] RUNDLL32.EXE w1d7513a.dll,I2 000df09201d7513a
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [afxmf] C:\WINDOWS\system32\eqmteu.exe reg_run
O4 - HKCU\..\Run: [Bxxwmep] C:\Program Files\Common Files\??curity\s?chost.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\system32\WNSXS~1\fast.exe" -vt yazr
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\javaw.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\g4jole131h.dll (file missing)
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\uzp10.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Capthxc, 07 June 2006 - 08:17 PM.


#4 Capthxc

Capthxc
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 07 June 2006 - 08:20 PM

eqmteu.exe;C:\WINDOWS\system32;Trojan.Qoologic;Will be cured after reboot.;
uaexd.exe;C:\WINDOWS\system32;Trojan.Qoologic;Will be cured after reboot.;
wxyuk.exe;C:\Documents and Settings\All Users\Start Menu\Programs\Startup;Trojan.Qoologic;Will be cured after reboot.;
SBtrmIT.dll;C:\WINDOWS\system32;Adware.Ican;;
pvrfnet.dll;C:\WINDOWS\system32;Adware.Ican;;
igpeers.dll;C:\WINDOWS\system32;Adware.Ican;;
smi_ci.dll;C:\WINDOWS\system32;Adware.Ican;;
ucrsdpia.dll;C:\WINDOWS\system32;Adware.Ican;;
ctnsole.dll;C:\WINDOWS\system32;Adware.Ican;;
szorder.dll;C:\WINDOWS\system32;Adware.Ican;;
fzsrch.dll;C:\WINDOWS\system32;Adware.Ican;;
wwssvc.dll;C:\WINDOWS\system32;Adware.Ican;;
kmdsg.dll;C:\WINDOWS\system32;Adware.Ican;;
wevcore.dll;C:\WINDOWS\system32;Adware.Ican;;
lncdll.dll;C:\WINDOWS\system32;Adware.Ican;;
kudhe.dll;C:\WINDOWS\system32;Adware.Ican;;
meltus40.dll;C:\WINDOWS\system32;Adware.Ican;;
SJCplTR.dll;C:\WINDOWS\system32;Adware.Ican;;
irsmsdbn.dll;C:\WINDOWS\system32;Adware.BetterInternet;;
503_617.exe\data001;C:\503_617.exe;Trojan.Popuper;;
503_617.exe\data002;C:\503_617.exe;Trojan.Popuper;;
503_617.exe;C:\;Archive contains infected objects;Moved.;
516_618.exe\data001;C:\516_618.exe;Trojan.Popuper;;
516_618.exe\data002;C:\516_618.exe;Trojan.Popuper;;
516_618.exe;C:\;Archive contains infected objects;Moved.;
NNSCAA638.EXE;C:\;Adware.NewDotNet;;
VSL.dl_;C:\;Adware.Dh;;
w.exe;C:\;Trojan.DownLoader.9110;Deleted.;
webnexmk.exe;C:\;Trojan.MulDrop.2785;Deleted.;
ZIGID003.exe;C:\;Adware.ZenoSearch;;
repairs303169587.dll;C:\!KillBox;Adware.Surfside;;
awtkumvA.exe;C:\bintheredunthat;Trojan.Popuper;Deleted.;
comscore.exe;C:\bintheredunthat;Trojan.MulDrop.2785;Deleted.;
jdxcenc.exe;C:\bintheredunthat;BackDoor.Generic.1051;Deleted.;
jglwgfqA.exe;C:\bintheredunthat;Trojan.Popuper;Deleted.;
numbsoft.exe;C:\bintheredunthat;Trojan.MulDrop.2785;Deleted.;
pudvsvc.exe;C:\bintheredunthat;Trojan.Click.647;Deleted.;
rmwknuw.exe;C:\bintheredunthat;Trojan.Offun;Deleted.;
vyzyhgk.exe;C:\bintheredunthat;Trojan.Popups;Deleted.;
6063327Ed01;C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\eiud15jc.hello\Cache;Trojan.Fakealert;Deleted.;
full.exe;C:\Documents and Settings\Owner\Desktop\bullbleep;Trojan.MulDrop.2785;Deleted.;
503_617.exe\data001;C:\Documents and Settings\Owner\DoctorWeb\Quarantine\503_617.exe;Trojan.Popuper;;
503_617.exe\data002;C:\Documents and Settings\Owner\DoctorWeb\Quarantine\503_617.exe;Trojan.Popuper;;
503_617.exe;C:\Documents and Settings\Owner\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
516_618.exe\data001;C:\Documents and Settings\Owner\DoctorWeb\Quarantine\516_618.exe;Trojan.Popuper;;
516_618.exe\data002;C:\Documents and Settings\Owner\DoctorWeb\Quarantine\516_618.exe;Trojan.Popuper;;
516_618.exe;C:\Documents and Settings\Owner\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
pre.emf;C:\Documents and Settings\Owner\My Documents;Exploit.MS05-053;Deleted.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;;
ace.dll;C:\Program Files\Aprps;Trojan.AproposAd;Deleted.;
atl.dll;C:\Program Files\Aprps;Trojan.AproposAd;Deleted.;
CxtPls.dll;C:\Program Files\Aprps;Adware.Apropos;;
libexpat.dll;C:\Program Files\Aprps;Trojan.AproposAd;Deleted.;
ProxyStub.dll;C:\Program Files\Aprps;Trojan.AproposAd;Deleted.;
uninstaller.exe;C:\Program Files\Aprps;Trojan.AproposAd;Deleted.;
WinGenerics.dll;C:\Program Files\Aprps;Trojan.AproposAd;Deleted.;
Stb.exe;C:\Program Files\asys;Trojan.DownLoader.3738;Deleted.;
VFX60_nok.exe\data001;C:\Program Files\asys\VFX60_nok.exe;Trojan.DownLoader.4717;;
VFX60_nok.exe\data002;C:\Program Files\asys\VFX60_nok.exe;Trojan.Offun;;
VFX60_nok.exe;C:\Program Files\asys;Archive contains infected objects;Moved.;
VFX8.0-1.exe;C:\Program Files\asys;Trojan.MulDrop.2543;Incurable.Moved.;
cmappstub.exe;C:\Program Files\CMAPP;Trojan.DownLoader.3738;Deleted.;
cmappclient.exe;C:\Program Files\CMAPP\Client;Adware.Casclient;;
snuninst.exe;C:\Program Files\epicenter;Trojan.DownLoader.3517;Deleted.;
FCEngine.exe;C:\Program Files\FCEngine;Trojan.DownLoader.6298;Deleted.;
avmdxvcptf.dll;C:\Program Files\inscdm;Adware.SmartPops;;
avmdxvcptf.exe;C:\Program Files\inscdm;Adware.SmartPops;;
auxe.exe;C:\Program Files\Internet Explorer;Trojan.DownLoader.9440;Deleted.;
MYSRCHAS.DLL;C:\Program Files\MyWay\SrchAstt\1.bin;Adware.MyWay;;
vxfo2.exe;C:\Program Files\sysad;Trojan.MulDrop.2543;Incurable.Moved.;
wincmapp.exe;C:\Program Files\winCMAPP;Adware.Casclient;;
A0156937.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP419;Adware.Look2me;;
A0156941.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP419;Adware.Look2me;;
A0156944.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP419;Adware.Nexus;;
A0156945.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP419;Adware.Nexus;;
A0156946.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP419;Trojan.DownLoader.5242;Deleted.;
A0156969.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP422;Adware.Look2me;;
A0156970.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP422;Adware.Look2me;;
A0156971.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP422;Adware.Look2me;;
A0156985.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP424;Adware.Look2me;;
A0156989.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP424;Adware.Look2me;;
A0156992.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP424;Adware.Nexus;;
A0156993.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP424;Adware.Nexus;;
A0156994.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP424;Trojan.DownLoader.5242;Deleted.;
A0157100.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Adware.Look2me;;
A0157104.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Adware.Look2me;;
A0157107.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Adware.Nexus;;
A0157108.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Adware.Nexus;;
A0157109.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Trojan.DownLoader.5242;Deleted.;
A0157117.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Adware.Nexus;;
A0157118.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Adware.Nexus;;
A0157119.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Trojan.DownLoader.5242;Deleted.;
A0157122.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP430;Adware.Look2me;;
A0157147.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP432;Adware.Look2me;;
A0157149.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP432;Adware.Look2me;;
A0157155.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP432;Adware.Nexus;;
A0157156.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP432;Adware.Nexus;;
A0157157.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP432;Trojan.DownLoader.5242;Deleted.;
A0157242.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Look2me;;
A0157243.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Look2me;;
A0157249.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157250.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157251.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Trojan.DownLoader.5242;Deleted.;
A0157262.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Look2me;;
A0157263.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Look2me;;
A0157269.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157270.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157271.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Trojan.DownLoader.5242;Deleted.;
A0157277.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Look2me;;
A0157283.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157284.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157285.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Trojan.DownLoader.5242;Deleted.;
A0157289.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Look2me;;
A0157290.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Look2me;;
A0157296.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157297.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157298.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Trojan.DownLoader.5242;Deleted.;
A0157302.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Look2me;;
A0157308.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157309.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Adware.Nexus;;
A0157310.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP437;Trojan.DownLoader.5242;Deleted.;
A0157315.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Look2me;;
A0157316.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Look2me;;
A0157322.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157323.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157324.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Trojan.DownLoader.5242;Deleted.;
A0157331.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Look2me;;
A0157337.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157338.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157339.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Trojan.DownLoader.5242;Deleted.;
A0157344.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Look2me;;
A0157350.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157351.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157352.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Trojan.DownLoader.5242;Deleted.;
A0157356.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Look2me;;
A0157362.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157363.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157364.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Trojan.DownLoader.5242;Deleted.;
A0157369.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Look2me;;
A0157375.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157376.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Adware.Nexus;;
A0157377.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP438;Trojan.DownLoader.5242;Deleted.;
A0157380.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Adware.Look2me;;
A0157382.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Adware.Look2me;;
A0157388.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Adware.Nexus;;
A0157389.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Adware.Nexus;;
A0157390.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Trojan.DownLoader.5242;Deleted.;
A0157403.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Adware.Look2me;;
A0158385.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Adware.Look2me;;
A0158388.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Adware.Nexus;;
A0158389.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Adware.Nexus;;
A0158390.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP439;Trojan.DownLoader.5242;Deleted.;
A0159385.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP440;Adware.Look2me;;
A0159388.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP440;Adware.Nexus;;
A0159389.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP440;Adware.Nexus;;
A0159390.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP440;Trojan.DownLoader.5242;Deleted.;
A0159394.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP440;Adware.Look2me;;
A0159400.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP440;Adware.Nexus;;
A0159401.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP440;Adware.Nexus;;
A0159402.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP440;Trojan.DownLoader.5242;Deleted.;
A0159423.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP441;Adware.Look2me;;
A0159424.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP441;Adware.Look2me;;
A0159425.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP441;Adware.Look2me;;
A0159426.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP441;Adware.Look2me;;
A0159427.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP441;Adware.Look2me;;
A0159428.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP441;Adware.Look2me;;
A0159429.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP441;Adware.Look2me;;
A0159612.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP453;Adware.Look2me;;
A0159624.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP453;Adware.Look2me;;
A0159630.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP453;Adware.Nexus;;
A0159631.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP453;Adware.Nexus;;
A0159632.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP453;Trojan.DownLoader.5242;Deleted.;
A0159666.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP455;Adware.Look2me;;
A0159667.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP455;Adware.Look2me;;
A0159673.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP455;Adware.Nexus;;
A0159674.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP455;Adware.Nexus;;
A0159675.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP455;Trojan.DownLoader.5242;Deleted.;
A0160666.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP458;Adware.Look2me;;
A0160672.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP458;Adware.Nexus;;
A0160673.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP458;Adware.Nexus;;
A0160674.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP458;Trojan.DownLoader.5242;Deleted.;
A0160717.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP460;Adware.Look2me;;
A0160718.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP460;Adware.Look2me;;
A0160724.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP460;Adware.Nexus;;
A0160725.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP460;Adware.Nexus;;
A0160726.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP460;Trojan.DownLoader.5242;Deleted.;
A0160804.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Look2me;;
A0160805.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Look2me;;
A0160811.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Nexus;;
A0160812.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Nexus;;
A0160813.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Trojan.DownLoader.5242;Deleted.;
A0160817.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Look2me;;
A0160823.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Nexus;;
A0160824.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Nexus;;
A0160825.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Trojan.DownLoader.5242;Deleted.;
A0160830.dLL;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Look2me;;
A0160836.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Nexus;;
A0160837.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Adware.Nexus;;
A0160838.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP464;Trojan.DownLoader.5242;Deleted.;
A0161835.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0161836.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0161837.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Trojan.DownLoader.5242;Deleted.;
A0161840.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Look2me;;
A0161844.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Look2me;;
A0161848.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Look2me;;
A0161851.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0161852.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0161853.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Trojan.DownLoader.5242;Deleted.;
A0162052.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Look2me;;
A0162058.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0162059.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0162060.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Trojan.DownLoader.5242;Deleted.;
A0162080.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Look2me;;
A0162087.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Look2me;;
A0162090.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0162091.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0162092.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Trojan.DownLoader.5242;Deleted.;
A0162109.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Look2me;;
A0162112.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0162113.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Adware.Nexus;;
A0162114.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP468;Trojan.DownLoader.5242;Deleted.;
A0162237.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Adware.Look2me;;
A0162243.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Adware.Nexus;;
A0162244.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Adware.Nexus;;
A0162245.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Trojan.DownLoader.5242;Deleted.;
A0162250.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Adware.Look2me;;
A0162278.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Adware.Look2me;;
A0162284.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Adware.Nexus;;
A0162285.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Adware.Nexus;;
A0162286.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP474;Trojan.DownLoader.5242;Deleted.;
A0162297.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP475;Adware.Look2me;;
A0162303.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP475;Adware.Nexus;;
A0162304.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP475;Adware.Nexus;;
A0162305.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP475;Trojan.DownLoader.5242;Deleted.;
A0162313.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.Look2me;;
A0162319.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.Nexus;;
A0162320.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.Nexus;;
A0162321.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Trojan.DownLoader.5242;Deleted.;
A0162331.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.Look2me;;
A0162337.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.Nexus;;
A0162338.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.Nexus;;
A0162339.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Trojan.DownLoader.5242;Deleted.;
A0162346.DLL;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.MyWay;;
A0162347.EXE;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.MyWay;;
A0162348.DLL;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP476;Adware.MyWay;;
A0162365.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP477;Adware.Look2me;;
A0162371.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP477;Adware.Nexus;;
A0162372.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP477;Adware.Nexus;;
A0162373.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP477;Trojan.DownLoader.5242;Deleted.;
A0162384.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP478;Adware.Look2me;;
A0162390.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP478;Adware.Nexus;;
A0162391.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP478;Adware.Nexus;;
A0162392.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP478;Trojan.DownLoader.5242;Deleted.;
A0162414.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0162420.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Nexus;;
A0162421.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Nexus;;
A0162422.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Trojan.DownLoader.5242;Deleted.;
A0162426.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0162430.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0162433.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Nexus;;
A0162434.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Nexus;;
A0162435.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Trojan.DownLoader.5242;Deleted.;
A0162530.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Trojan.DownLoader.9440;Deleted.;
A0162534.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Trojan.DownLoader.9440;Deleted.;
A0162543.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.WebHancer;;
A0162547.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Nexus;;
A0162548.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Nexus;;
A0162550.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Trojan.DownLoader.5242;Deleted.;
A0162551.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Nexus;;
A0162552.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;BackDoor.Generic.1219;Deleted.;
A0162553.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;BackDoor.Generic.1219;Deleted.;
A0162555.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Nexus;;
A0162556.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0162572.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0162573.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163583.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163584.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163592.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.ZenoSearch;;
A0163597.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Trojan.Click.1211;Deleted.;
A0163598.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Trojan.Click.1211;Deleted.;
A0163622.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163636.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163637.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163660.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163664.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163678.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.ZenoSearch;;
A0163687.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.MediaTicket;;
A0163708.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163712.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163730.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163743.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163752.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP479;Adware.Look2me;;
A0163777.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.WildMedia;;
A0163801.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Surfside;;
A0163803.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Surfside;;
A0163804.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Surfside;;
A0163807.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0163808.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Surfside;;
A0163809.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0163824.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0164334.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0164336.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0164346.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0164356.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0164366.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0164375.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP480;Adware.Look2me;;
A0164407.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0164417.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0164431.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.ZenoSearch;;
A0164446.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0164450.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0164454.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.ClickSpring;;
A0164458.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Trojan.Qoologic;Deleted.;
A0164459.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Mirarbar;;
A0165446.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Nexus;;
A0165447.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.NewDotNet;;
A0165479.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0165486.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0165490.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Trojan.Qoologic;Deleted.;
A0166479.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Nexus;;
A0166484.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0166488.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Trojan.Qoologic;Deleted.;
A0166491.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Surfside;;
A0166493.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Surfside;;
A0166494.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Surfside;;
A0167479.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Nexus;;
A0167480.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Surfside;;
A0167484.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0167489.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Trojan.Qoologic;Deleted.;
A0168479.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Nexus;;
A0168484.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168486.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Trojan.Qoologic;Deleted.;
A0168512.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.NewDotNet;;
A0168513.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.NewDotNet;;
A0168514.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.NewDotNet;;
A0168694.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Nexus;;
A0168705.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168761.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168762.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168766.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Trojan.MulDrop.2785;Deleted.;
A0168781.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168790.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168796.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168815.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.AddUrl;;
A0168821.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168825.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0168829.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.ClickSpring;;
A0168831.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Trojan.Qoologic;Deleted.;
A0168855.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Nexus;;
A0168859.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP481;Adware.Look2me;;
A0169857.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Adware.Look2me;;
A0169860.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Trojan.Qoologic;Deleted.;
A0170854.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Adware.Nexus;;
A0170858.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Adware.Look2me;;
A0170859.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Trojan.Qoologic;Deleted.;
A0170871.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Adware.Nexus;;
A0170875.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Adware.Look2me;;
A0170878.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Trojan.Qoologic;Deleted.;
A0170892.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Adware.Nexus;;
A0170893.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP482;Adware.Look2me;;
A0170902.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Adware.Look2me;;
A0171895.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Adware.Look2me;;
A0171896.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Trojan.Qoologic;Deleted.;
A0171941.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Probably DLOADER.Trojan;;
A0171942.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Adware.WebHancer;;
A0172892.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Adware.Nexus;;
A0172893.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Adware.Look2me;;
A0172897.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Adware.WebHancer;;
A0172905.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP483;Trojan.Qoologic;Deleted.;
A0172961.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP484;Adware.Nexus;;
A0173016.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP486;Trojan.DownLoader.9440;Deleted.;
A0173022.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP486;Trojan.Qoologic;Deleted.;
A0173023.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP486;Trojan.Popuper;Deleted.;
A0173025.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP486;Trojan.DownLoader.9440;Deleted.;
A0173036.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP486;Trojan.DownLoader.8450;Deleted.;
A0173057.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP486;Adware.Nexus;;
A0175232.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP490;Trojan.Popuper;Deleted.;
A0175236.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP490;Adware.NewDotNet;;
A0175246.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP490;Adware.DollarRevenue;;
A0175247.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP490;Trojan.DownLoader.8290;Deleted.;
A0175248.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP490;Adware.Lc;;
A0175249.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP490;Adware.Lc;;
A0175251.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP490;Adware.ZenoSearch;;
A0175369.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP492;Adware.ZenoSearch;;
A0176526.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.DollarRevenue;;
A0176528.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176550.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.FContext;;
A0176552.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.MediaTicket;;
A0176554.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Click.1209;Deleted.;
A0176555.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.DollarRevenue;;
A0176556.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.DollarRevenue;;
A0176557.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.DollarRevenue;;
A0176558.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.Surfside;;
A0176561.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.Look2me;;
A0176562.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.DollarRevenue;;
A0176563.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.DollarRevenue;;
A0176567.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.MulDrop.2808;Deleted.;
A0176576.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Qoologic;Deleted.;
A0176577.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Qoologic;Deleted.;
A0176578.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Qoologic;Deleted.;
A0176579.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Qoologic;Deleted.;
A0176580.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Qoologic;Deleted.;
A0176582.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.MulDrop.2785;Deleted.;
A0176583.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ClickSpring;;
A0176585.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Isbar.443;Deleted.;
A0176586.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.DownLoader.6815;Deleted.;
A0176587.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.Aws;;
A0176588.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.DownLoader.6012;Deleted.;
A0176591.EXE;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.SmartPops;;
A0176592.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.MulDrop.2785;Deleted.;
A0176593.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.MulDrop.2785;Deleted.;
A0176594.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.MulDrop.2785;Deleted.;
A0176595.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Isbar.402;Deleted.;
A0176601.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.DownLoader.7575;Deleted.;
A0176602.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.DownLoader.3738;Deleted.;
A0176603.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.DownLoader.3923;Deleted.;
A0176609.exe\data001;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495\A0176609.exe;Trojan.DownLoader.4717;;
A0176609.exe\data002;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495\A0176609.exe;Trojan.Popups;;
A0176609.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Archive contains infected objects;Moved.;
A0176610.exe\data001;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495\A0176610.exe;Trojan.DownLoader.4717;;
A0176610.exe\data002;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495\A0176610.exe;Trojan.Popups;;
A0176610.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Archive contains infected objects;Moved.;
A0176613.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.MulDrop.2785;Deleted.;
A0176614.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.MulDrop.2785;Deleted.;
A0176689.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.EliteBar;;
A0176690.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.EliteBar;;
A0176691.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.Winad;;
A0176748.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ClickSpring;;
A0176792.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.Enbrow;;
A0176793.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.DownLoader.9866;Deleted.;
A0176794.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.DownLoader.8453;Deleted.;
A0176795.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Click.1206;Deleted.;
A0176796.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.DollarRevenue;;
A0176797.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Trojan.Click.1207;Deleted.;
A0176798.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.DollarRevenue;;
A0176799.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176801.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176802.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176803.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176804.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176805.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176806.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176807.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176808.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.ZenoSearch;;
A0176809.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP495;Adware.WildMedia;;
A0177828.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Adware.Surfside;;
A0177830.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Adware.Surfside;;
A0177831.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Adware.Surfside;;
A0178036.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Adware.Hotbar;;
A0178038.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Adware.Look2me;;
A0178041.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;BackDoor.Generic.1219;Deleted.;
A0178042.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;BackDoor.Generic.1219;Deleted.;
A0178046.exe\data001;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496\A0178046.exe;Trojan.Popuper;;
A0178046.exe\data002;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496\A0178046.exe;Trojan.Popuper;;
A0178046.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Archive contains infected objects;Moved.;
A0178047.exe\data001;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496\A0178047.exe;Trojan.Popuper;;
A0178047.exe\data002;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496\A0178047.exe;Trojan.Popuper;;
A0178047.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Archive contains infected objects;Moved.;
A0178048.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.DownLoader.9110;Deleted.;
A0178049.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.MulDrop.2785;Deleted.;
A0178050.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.Popuper;Deleted.;
A0178051.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.MulDrop.2785;Deleted.;
A0178052.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;BackDoor.Generic.1051;Deleted.;
A0178053.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.Popuper;Deleted.;
A0178054.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.MulDrop.2785;Deleted.;
A0178055.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.Click.647;Deleted.;
A0178056.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.Offun;Deleted.;
A0178057.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.Popups;Deleted.;
A0178058.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.MulDrop.2785;Deleted.;
A0178059.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.AproposAd;Deleted.;
A0178060.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.AproposAd;Deleted.;
A0178061.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.AproposAd;Deleted.;
A0178062.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.AproposAd;Deleted.;
A0178063.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.AproposAd;Deleted.;
A0178064.dll;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.AproposAd;Deleted.;
A0178065.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.DownLoader.3738;Deleted.;
A0178066.exe\data001;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496\A0178066.exe;Trojan.DownLoader.4717;;
A0178066.exe\data002;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496\A0178066.exe;Trojan.Offun;;
A0178066.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Archive contains infected objects;Moved.;
A0178067.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.MulDrop.2543;Incurable.Moved.;
A0178068.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.DownLoader.3738;Deleted.;
A0178069.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.DownLoader.3517;Deleted.;
A0178070.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.DownLoader.6298;Deleted.;
A0178071.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.DownLoader.9440;Deleted.;
A0178072.exe;C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP496;Trojan.MulDrop.2543;Incurable.Moved.;
876056.exe;C:\WINDOWS;Adware.Mirarbar;;
amm06.ocx;C:\WINDOWS;Adware.MediaMotor;;
cfgmgr52.dll;C:\WINDOWS;Adware.BookedSpace;;
ekguvpbw.dll;C:\WINDOWS;Adware.BookedSpace;;
gege15x.exe;C:\WINDOWS;Modification of BackDoor.Generic.987;Moved.;
gtvxsvc.exe\data001;C:\WINDOWS\gtvxsvc.exe;BackDoor.Generic.1050;;
gtvxsvc.exe\data002;C:\WINDOWS\gtvxsvc.exe;BackDoor.Generic.1051;;
gtvxsvc.exe;C:\WINDOWS;Archive contains infected objects;Moved.;
jdxcdll.exe;C:\WINDOWS;BackDoor.Generic.1050;Deleted.;
NDNuninstall7_22.exe;C:\WINDOWS;Adware.NewDotNet;;
offun.exe;C:\WINDOWS;Trojan.Popuper;Deleted.;
optimize.exe;C:\WINDOWS;Trojan.Dyfuca;Deleted.;
pop06ap2.exe;C:\WINDOWS;Adware.MediaMotor;;
pxwma.dll;C:\WINDOWS;Adware.Webdir;;
pysdukg.exe;C:\WINDOWS;Trojan.Popups;Deleted.;
Ukbbnavd.dll;C:\WINDOWS;Adware.BookedSpace;;
unin101.exe;C:\WINDOWS;Trojan.Click.1166;Deleted.;
unwn.exe;C:\WINDOWS;Trojan.Qoologic;Deleted.;
vcpsapyb.exe;C:\WINDOWS;Adware.BookedSpace;;
visfx500.exe\data001;C:\WINDOWS\visfx500.exe;Trojan.Popuper;;
visfx500.exe\data002;C:\WINDOWS\visfx500.exe;Trojan.Popuper;;
visfx500.exe\data004;C:\WINDOWS\visfx500.exe;Trojan.Dyfuca;;
visfx500.exe;C:\WINDOWS;Archive contains infected objects;Moved.;
visfxun.exe;C:\WINDOWS;Trojan.DownLoader.4717;Deleted.;
webhdll.dll_tobedeleted;C:\WINDOWS;Adware.WebHancer;;
pcs_0002.exe;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.2432;Deleted.;
asms.exe;C:\WINDOWS\system32;Trojan.MulDrop.1827;Deleted.;
csrss_log.dat;C:\WINDOWS\system32;Trojan.DownLoader.4135;Deleted.;
ctnsole.dll;C:\WINDOWS\system32;Adware.Ican;;
cxtpls_loader.exe;C:\WINDOWS\system32;Trojan.AproposAd;Deleted.;
dddmoprp.dll;C:\WINDOWS\system32;Adware.Look2me;;
djkquota.dll;C:\WINDOWS\system32;Adware.Ican;;
dknput8.dll;C:\WINDOWS\system32;Adware.Look2me;;
dlser.dll;C:\WINDOWS\system32;Adware.Look2me;;
dmonwv.dll;C:\WINDOWS\system32;Trojan.DownLoader.8933;Deleted.;
dscdll.dll;C:\WINDOWS\system32;Adware.Ican;;
enpol1731.dll;C:\WINDOWS\system32;Adware.Look2me;;
fpjq0315e.dll;C:\WINDOWS\system32;Adware.Look2me;;
full.exe;C:\WINDOWS\system32;Trojan.MulDrop.2785;Deleted.;
fzsrch.dll;C:\WINDOWS\system32;Adware.Ican;;
g2jolc131f.dll;C:\WINDOWS\system32;Adware.Look2me;;
gpnul3591.dll;C:\WINDOWS\system32;Adware.Look2me;;
h0n0la5m1d.dll;C:\WINDOWS\system32;Adware.Ican;;
hr0205doe.dll;C:\WINDOWS\system32;Adware.Look2me;;
hrr2059oe.dll;C:\WINDOWS\system32;Adware.Look2me;;
hrrs0597e.dll;C:\WINDOWS\system32;Adware.Look2me;;
igpeers.dll;C:\WINDOWS\system32;Adware.Ican;;
installer_MARKETING51.exe;C:\WINDOWS\system32;Trojan.MulDrop.1827;Deleted.;
irsmsdbn.dll;C:&#

#5 Capthxc

Capthxc
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 07 June 2006 - 08:21 PM

Active Scan

Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\javaw.dll
Adware:Adware/PurityScan Not disinfected C:\DOCUME~1\Owner\LOCALS~1\Temp\!update.exe
Adware:adware/adrotator Not disinfected c:\windows\system32\adrotate.dll
Spyware:spyware/safesurf Not disinfected c:\windows\system32\lanbrup.exe
Spyware:spyware/marketscore Not disinfected c:\windows\system32\rk.bin
Adware:adware/mirar Not disinfected c:\windows\system32\WinNB57.dll
Adware:adware/afaenhance Not disinfected c:\windows\system\QBUninstaller.exe
Adware:adware/weirdontheweb Not disinfected C:\Documents and Settings\Owner\Favorites\WeirdOnTheWeb.url
Adware:adware/bookedspace Not disinfected c:\windows\cfgmgr52.dll
Adware:adware/secure32 Not disinfected c:\windows\country.exe
Adware:adware/adurl Not disinfected c:\windows\icont.exe
Spyware:spyware/new.net Not disinfected c:\windows\NDNuninstall7_22.exe
Adware:adware/webdir Not disinfected c:\windows\pxwma.dll
Adware:adware/cws.searchmeup Not disinfected c:\windows\toolbar.exe
Adware:adware/webhancer Not disinfected c:\windows\webhdll.dll_tobedeleted
Spyware:spyware/apropos Not disinfected c:\program files\Aprps
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/delfinmedia Not disinfected c:\documents and settings\all users\application data\vidctrl
Adware:adware/novo Not disinfected Windows Registry
Adware:adware/dealhelper Not disinfected Windows Registry
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/fchelp Not disinfected Windows Registry
Spyware:spyware/surfsidekick Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/deskwizz Not disinfected Windows Registry




BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 3:24:50 AM, on 6/7/2006

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetwork (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|ms-update (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|p2pnetworking (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|virtual-ie (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|MS DATABASE (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|xp (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|winlog (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|wmplayer (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|tetriz3 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CQ4d6 (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|SystemTools (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|eventwvr (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FolderDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\hsperfdata_Owner (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_46c.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_4b4.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_87c.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_abc.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF29B0.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF40D7.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF479E.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF5BB0.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFB27E.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFDB80.tmp (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07RJUOHP (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0TUVSX63 (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2HC12XYZ (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6LC7Q5E5 (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\894PGX03 (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8TA30XYJ (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8X856BOP (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C1QZGXIJ (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GLEZ85MR (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JMCJNT0L (operation failed)
Failed: FolderDelete C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UN2LMR0Z (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

Edited by Capthxc, 07 June 2006 - 08:23 PM.


#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 07 June 2006 - 09:45 PM

Machine looks to be in a much better shape than earlier. :thumbsup:

I have some questions for you...

( 1 ) Did you do the uninstalls for 'PurityScan \ SnowBallwars by OIN (or any programs by OIN)' ? I'm still seeing entries from that infection. If you were unable to locate those add/remove entries, please download and use this uninstaller: http://www.outerinfo.com/OiUninstaller.exe

Was unable to run combofix, it gave me an error message about msdos and froze my PC.

( 2 ) Please expand a bit on the above statement. Can you recall the exact error message? Did it give you a blue window where you have to type 'Yes/No' to proceed. Your input from this would be much appreciated. It will help me make changes to combofix so that other users do not encounter the same issues.

It's unfortunate that you were unable to run combofix. It would have removed many of the registry entries that DrWeb didnt fix. Automated scanners tend to brutally rip out files leaving orphaned entries in the Registry. We'll have to use some other tools to fix those reg entries.

Please read this post completely before begining the fix.


* * * * * *


Please do the following:

Close any programs you have open since this step requires a reboot.

Download & immediately run - L2MFix.exe
Click "Install" to extract the contents to a newly created folder.
From within that folder, locate & double click - l2mfix.bat
You should get a window that looks like this...

浜様様様様様様様様様様様様様様様様融
L2MFix Tool By Shadowwar
麺様様様様様様様様様様様様様様様様郵
1. Run Find Log
2. Run Fix
3. View Readme
4. Remove L2MFIX Account
5. Fix Autoexec.nt/cmd.exe error
E. Exit
藩様様様様様様様様様様様様様様様様夕
(1,2,3,4,5,E) _ 2
<---- type 2 here & press Enter once


Select the option - 2. Run Fix .... (by typing 2 and then pressing 'Enter' once)
Do not depress any keyboard keys until the tool request you to Press any key to reboot
The machine will reboot & produce a logfile - log.txt - located in the l2mfix folder.

Copy/paste the contents of that log back into this thread, along with a new hijackthis log.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.


* * * * * *


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Download the following reg file to your desktop. When it is finished downloading double-click on it and say Yes when it asks if you would like to merge the data - Fixssk.reg


* * * * * *


Download & launch KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Select the following option - delete on Reboot
Use your mouse to select all the filenames listed below & then right-click & select Copy
  • C:\DOCUME~1\Owner\LOCALS~1\Temp\!update.exe
    c:\windows\system32\adrotate.dll
    c:\windows\system32\lanbrup.exe
    c:\windows\system32\rk.bin
    c:\windows\system32\WinNB57.dll
    c:\windows\system\QBUninstaller.exe
    C:\WINDOWS\system32\javaw.dll
    C:\Documents and Settings\Owner\Favorites\WeirdOnTheWeb.url
    c:\windows\cfgmgr52.dll
    c:\windows\country.exe
    c:\windows\icont.exe
    c:\windows\NDNuninstall7_22.exe
    c:\windows\pxwma.dll
    c:\windows\toolbar.exe
    c:\windows\webhdll.dll_tobedeleted
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


After the reboot, do a HijackThis scan & place a check next to these items and select "Fix checked":

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uaexd.exe
F2 - REG:system.ini: UserInit=userinit.exe,gvkcoau.exe
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmsdbn.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O4 - HKLM\..\Run: [eiqlds] C:\WINDOWS\system32\eqmteu.exe reg_run
O4 - HKLM\..\Run: [w1d7513a.dll] RUNDLL32.EXE w1d7513a.dll,I2 000df09201d7513a
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKCU\..\Run: [afxmf] C:\WINDOWS\system32\eqmteu.exe reg_run
O4 - HKCU\..\Run: [Bxxwmep] C:\Program Files\Common Files\??curity\s?chost.exe
O4 - HKCU\..\Run: [Cpue] "C:\WINDOWS\system32\WNSXS~1\fast.exe" -vt yazr
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\javaw.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\g4jole131h.dll (file missing)
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\uzp10.dll (file missing)



* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (make sure you get ALL of them)
  • c:\program files\Aprps
    c:\program files\MyWay
    c:\documents and settings\all users\application data\vidctrl
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Delete Cookies
4. Click OK
5. Press the CleanUp! button to start the program.


* * * * * *

TrendMicro HouseCall Java Scan
  • Please go HERE to run the scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes, I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.
* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis
  • L2Mfix
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now


Ps.. Have you updated Java yet?

#7 Capthxc

Capthxc
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 07 June 2006 - 11:02 PM

Well i just ran combofix again, and it went all the way through this time. When it rebooted my computer made me restore my active desktop, and it automatially started up my drive cleaner. I dont remember the spefifics of the message given when i had the error, but it asked me if i wanted to ignore the problem. I applogize for not remembering anything spefific as the message didnt come up again.


On a differante note, i have my combofix log for you now.

Start Time= Wed 06/07/2006 23:50:18.95

(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sv1"=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{516EC4D3-4AD9-11D5-AA6A-00E0189008B3}"="The Core Media Player Shell Extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{55F5A1A5-43BE-42F5-8F9C-4647B0EAECD9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{55F5A1A5-43BE-42F5-8F9C-4647B0EAECD9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{55F5A1A5-43BE-42F5-8F9C-4647B0EAECD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{55F5A1A5-43BE-42F5-8F9C-4647B0EAECD9}\InprocServer32]
@="C:\\WINDOWS\\system32\\SBtrmIT.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{DB90E3DC-D8FA-4CD5-BD69-B7C8CB197F1B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB90E3DC-D8FA-4CD5-BD69-B7C8CB197F1B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB90E3DC-D8FA-4CD5-BD69-B7C8CB197F1B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB90E3DC-D8FA-4CD5-BD69-B7C8CB197F1B}\InprocServer32]
@="C:\\WINDOWS\\system32\\pvrfnet.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{6CDA3EFF-2DAA-45B8-9EA1-046C289F5BFA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CDA3EFF-2DAA-45B8-9EA1-046C289F5BFA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CDA3EFF-2DAA-45B8-9EA1-046C289F5BFA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6CDA3EFF-2DAA-45B8-9EA1-046C289F5BFA}\InprocServer32]
@="C:\\WINDOWS\\system32\\igpeers.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BC629CA3-DF5C-4E99-8E10-1810572D52CF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC629CA3-DF5C-4E99-8E10-1810572D52CF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC629CA3-DF5C-4E99-8E10-1810572D52CF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BC629CA3-DF5C-4E99-8E10-1810572D52CF}\InprocServer32]
@="C:\\WINDOWS\\system32\\smi_ci.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{7AA03A1A-48C7-4D58-B2F0-798A3221012B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7AA03A1A-48C7-4D58-B2F0-798A3221012B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7AA03A1A-48C7-4D58-B2F0-798A3221012B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7AA03A1A-48C7-4D58-B2F0-798A3221012B}\InprocServer32]
@="C:\\WINDOWS\\system32\\ucrsdpia.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{6F274DFE-E3B8-4460-9EBC-7068907809B4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6F274DFE-E3B8-4460-9EBC-7068907809B4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6F274DFE-E3B8-4460-9EBC-7068907809B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6F274DFE-E3B8-4460-9EBC-7068907809B4}\InprocServer32]
@="C:\\WINDOWS\\system32\\ctnsole.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{1FB57360-9E96-43BB-A1F2-C025A6ECA584}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1FB57360-9E96-43BB-A1F2-C025A6ECA584}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1FB57360-9E96-43BB-A1F2-C025A6ECA584}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1FB57360-9E96-43BB-A1F2-C025A6ECA584}\InprocServer32]
@="C:\\WINDOWS\\system32\\szorder.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{057825E5-BB22-41B9-8605-516AB2EC5CE8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{057825E5-BB22-41B9-8605-516AB2EC5CE8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{057825E5-BB22-41B9-8605-516AB2EC5CE8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{057825E5-BB22-41B9-8605-516AB2EC5CE8}\InprocServer32]
@="C:\\WINDOWS\\system32\\fzsrch.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{4E1B7D64-D6D7-42B1-8F1E-06EC7207AD3A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4E1B7D64-D6D7-42B1-8F1E-06EC7207AD3A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4E1B7D64-D6D7-42B1-8F1E-06EC7207AD3A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4E1B7D64-D6D7-42B1-8F1E-06EC7207AD3A}\InprocServer32]
@="C:\\WINDOWS\\system32\\wwssvc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{1AD25A04-7006-4BEC-A43F-B17CEC18E6B8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AD25A04-7006-4BEC-A43F-B17CEC18E6B8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AD25A04-7006-4BEC-A43F-B17CEC18E6B8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{1AD25A04-7006-4BEC-A43F-B17CEC18E6B8}\InprocServer32]
@="C:\\WINDOWS\\system32\\kmdsg.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{4DA812AC-608F-44B3-A3FE-E1B442DEE5CB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DA812AC-608F-44B3-A3FE-E1B442DEE5CB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DA812AC-608F-44B3-A3FE-E1B442DEE5CB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4DA812AC-608F-44B3-A3FE-E1B442DEE5CB}\InprocServer32]
@="C:\\WINDOWS\\system32\\wevcore.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{5DBE3139-64E9-4A79-8546-5CC94874FD75}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DBE3139-64E9-4A79-8546-5CC94874FD75}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DBE3139-64E9-4A79-8546-5CC94874FD75}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DBE3139-64E9-4A79-8546-5CC94874FD75}\InprocServer32]
@="C:\\WINDOWS\\system32\\lncdll.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{198CD748-7257-49E8-AA30-475A2C4D91C2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{198CD748-7257-49E8-AA30-475A2C4D91C2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{198CD748-7257-49E8-AA30-475A2C4D91C2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{198CD748-7257-49E8-AA30-475A2C4D91C2}\InprocServer32]
@="C:\\WINDOWS\\system32\\kudhe.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{370206E7-A408-446B-A801-55AF125A1DFF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{370206E7-A408-446B-A801-55AF125A1DFF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{370206E7-A408-446B-A801-55AF125A1DFF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{370206E7-A408-446B-A801-55AF125A1DFF}\InprocServer32]
@="C:\\WINDOWS\\system32\\meltus40.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{F706CE7B-3CAD-4F20-8493-0F8F0C4E5339}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F706CE7B-3CAD-4F20-8493-0F8F0C4E5339}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F706CE7B-3CAD-4F20-8493-0F8F0C4E5339}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F706CE7B-3CAD-4F20-8493-0F8F0C4E5339}\InprocServer32]
@="C:\\WINDOWS\\system32\\SJCplTR.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{CAFEF7BA-5548-41A0-B390-FD59869B972A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFEF7BA-5548-41A0-B390-FD59869B972A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFEF7BA-5548-41A0-B390-FD59869B972A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CAFEF7BA-5548-41A0-B390-FD59869B972A}\InprocServer32]
@="C:\\WINDOWS\\system32\\bDsesrv.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{42E8014F-F8CF-495F-8812-31AA97EA5DDC}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42E8014F-F8CF-495F-8812-31AA97EA5DDC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42E8014F-F8CF-495F-8812-31AA97EA5DDC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{42E8014F-F8CF-495F-8812-31AA97EA5DDC}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{BFCBD3DA-8E15-4939-A24F-CC49FE3611AF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BFCBD3DA-8E15-4939-A24F-CC49FE3611AF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BFCBD3DA-8E15-4939-A24F-CC49FE3611AF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BFCBD3DA-8E15-4939-A24F-CC49FE3611AF}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvxml4r.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{C999DB4E-7515-42F1-B4B3-CF75173054DF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C999DB4E-7515-42F1-B4B3-CF75173054DF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C999DB4E-7515-42F1-B4B3-CF75173054DF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C999DB4E-7515-42F1-B4B3-CF75173054DF}\InprocServer32]
@="C:\\WINDOWS\\system32\\uzp10.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\DDDMOPRP.DLL
C:\WINDOWS\SYSTEM32\DKNPUT8.DLL
C:\WINDOWS\SYSTEM32\DLSER.DLL
C:\WINDOWS\SYSTEM32\ENPOL1~1.DLL
C:\WINDOWS\SYSTEM32\FPJQ03~1.DLL
C:\WINDOWS\SYSTEM32\G2JOLC~1.DLL
C:\WINDOWS\SYSTEM32\GPNUL3~1.DLL
C:\WINDOWS\SYSTEM32\HR0205~1.DLL
C:\WINDOWS\SYSTEM32\HRR205~1.DLL
C:\WINDOWS\SYSTEM32\HRRS05~1.DLL
C:\WINDOWS\SYSTEM32\K080LA~1.DLL
C:\WINDOWS\SYSTEM32\K4PM0E~1.DLL
C:\WINDOWS\SYSTEM32\KTJ0L7~1.DLL
C:\WINDOWS\SYSTEM32\L4J80E~1.DLL
C:\WINDOWS\SYSTEM32\L4R00E~1.DLL
C:\WINDOWS\SYSTEM32\LV6609~1.DLL
C:\WINDOWS\SYSTEM32\MIRD3X40.DLL
C:\WINDOWS\SYSTEM32\MMIMSG.DLL
C:\WINDOWS\SYSTEM32\MUIEFTP.DLL
C:\WINDOWS\SYSTEM32\MVR2L9~1.DLL
C:\WINDOWS\SYSTEM32\O048LA~1.DLL
C:\WINDOWS\SYSTEM32\O6LU0G~1.DLL
C:\WINDOWS\SYSTEM32\ONG.DLL
C:\WINDOWS\SYSTEM32\OVEACCRC.DLL


Granting SeDebugPrivilege to Administrators ... successful
23:51:09.81


(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

23:51:10.25

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *




* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-04-18 18:30:14 536,576 "C:\WINDOWS\system32\DivXsm.exe"
2006-05-24 18:14:12 48,187 "C:\WINDOWS\system32\VSL03.exe"
2006-05-24 18:14:04 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-04-18 18:30:28 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 18:30:28 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 18:30:28 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-03-23 16:32:42 3,053,568 "C:\WINDOWS\system32\mshtml.dll"
2006-04-18 18:34:56 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-03-18 07:09:38 613,376 "C:\WINDOWS\system32\urlmon.dll"
2006-05-25 00:41:34 1,150,976 "C:\WINDOWS\system32\rlvknlg.exe"
2006-06-02 13:39:46 286,000 "C:\WINDOWS\system32\WgaTray.exe"
2006-05-15 02:24:14 51,712 "C:\WINDOWS\system32\kxmtudg.dll"
2006-04-18 18:31:14 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-03-30 05:16:04 1,492,480 "C:\WINDOWS\system32\shdocvw.dll"
2006-03-17 00:03:54 8,452,096 "C:\WINDOWS\system32\shell32.dll"
2006-04-18 18:31:14 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 18:30:24 245,408 "C:\WINDOWS\system32\unicows.dll"
2006-05-17 16:29:34 303,104 "C:\WINDOWS\system32\WinNB57.dll"
2006-04-18 18:30:28 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 18:30:28 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 18:30:28 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-06-07 17:04:22 81,920 "C:\WINDOWS\system32\javaw.dll"
2006-04-18 18:34:58 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 18:34:58 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-06-01 22:18:32 14,048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-07 01:52:32 276 "C:\WINDOWS\dltbu.dll"
2006-05-15 02:28:26 121 "C:\WINDOWS\ttecn.dll"
2006-05-01 17:56:10 3,998 "C:\WINDOWS\mozver.dat"
2006-05-24 18:14:28 53 "C:\WINDOWS\npbwoo.dat"
2006-06-02 15:41:22 25 "C:\WINDOWS\tmpban.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


05/15/2006 02:24 AM 51,712 kxmtudg.dll.vir
05/15/2006 02:28 AM 121 ttecn.dll.vir
05/24/2006 06:14 PM 53 npbwoo.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-05-25 00:41:34 1,150,976 "C:\WINDOWS\system32\rlvknlg.exe"
2006-06-02 13:39:46 286,000 "C:\WINDOWS\system32\WgaTray.exe"
2006-04-18 18:30:14 536,576 "C:\WINDOWS\system32\DivXsm.exe"
2006-05-24 18:14:12 48,187 "C:\WINDOWS\system32\VSL03.exe"
2006-05-24 18:14:04 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-04-18 18:31:14 1,044,480 "C:\WINDOWS\system32\libdivx.dll"
2006-03-30 05:16:04 1,492,480 "C:\WINDOWS\system32\shdocvw.dll"
2006-03-17 00:03:54 8,452,096 "C:\WINDOWS\system32\shell32.dll"
2006-04-18 18:31:14 200,704 "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 18:30:24 245,408 "C:\WINDOWS\system32\unicows.dll"
2006-05-17 16:29:34 303,104 "C:\WINDOWS\system32\WinNB57.dll"
2006-04-18 18:30:28 90,112 "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 18:30:28 344,064 "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 18:30:28 200,704 "C:\WINDOWS\system32\dtu100.dll"
2006-03-23 16:32:42 3,053,568 "C:\WINDOWS\system32\mshtml.dll"
2006-04-18 18:34:56 339,968 "C:\WINDOWS\system32\pxwave.dll"
2006-03-18 07:09:38 613,376 "C:\WINDOWS\system32\urlmon.dll"
2006-04-18 18:30:28 294,912 "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 18:30:28 294,912 "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 18:30:28 57,344 "C:\WINDOWS\system32\dpv11.dll"
2006-06-07 17:04:22 81,920 "C:\WINDOWS\system32\javaw.dll"
2006-04-18 18:34:58 421,888 "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 18:34:58 172,032 "C:\WINDOWS\system32\pxmas.dll"
2006-06-01 22:18:32 14,048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-07 01:52:32 276 "C:\WINDOWS\dltbu.dll"
2006-05-01 17:56:10 3,998 "C:\WINDOWS\mozver.dat"
2006-06-02 15:41:22 25 "C:\WINDOWS\tmpban.dat"


((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



23:55:01.95
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-07 18:20:18 ( .D... ) "C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall"
2006-06-07 18:19:36 ( .D... ) "C:\Program Files\McAfee.com"
2006-06-07 17:04:24 2 ( A.... ) "C:\WINDOWS\system32\wintsvcc.exe"
2006-06-07 17:04:22 81920 ( A.... ) "C:\WINDOWS\system32\javaw.dll"
2006-06-07 15:23:56 ( .D... ) "C:\Program Files\CleanUp!"
2006-06-07 14:32:24 32540 ( A.... ) "C:\WINDOWS\system32\adrot-uninst.exe"
2006-06-07 01:52:32 276 ( A.... ) "C:\WINDOWS\dltbu.dll"
2006-06-06 11:03:38 60416 ( A.... ) "C:\WINDOWS\system32\adrotate.dll"
2006-06-05 14:20:18 ( .D... ) "C:\Program Files\?racle"
2006-06-02 13:39:54 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-06-02 13:39:46 402736 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-02 13:39:46 286000 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-06-01 22:18:32 14048 ( ..... ) "C:\WINDOWS\system32\spmsg.dll"
2006-05-25 00:46:40 245760 ( A.... ) "C:\WINDOWS\system32\cemetrix.dll"
2006-05-25 00:41:34 1150976 ( A.... ) "C:\WINDOWS\system32\rlvknlg.exe"
2006-05-25 00:41:32 303104 ( A.... ) "C:\WINDOWS\system32\rlls.dll"
2006-05-24 18:14:16 186396 ( A.... ) "C:\WINDOWS\srvgluxqch.exe"
2006-05-24 18:14:12 48187 ( A.... ) "C:\WINDOWS\system32\VSL03.exe"
2006-05-24 18:14:04 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-05-19 00:21:08 ( .D... ) "C:\Documents and Settings\Owner\Application Data\s?mbols"
2006-05-18 21:21:46 28408 ( A.... ) "C:\WINDOWS\icont.exe"
2006-05-17 16:32:28 183296 ( A.S.. ) "C:\WINDOWS\NDNuninstall7_22.exe"
2006-05-17 16:29:48 ( .D... ) "C:\Program Files\Common Files\??curity"
2006-05-17 16:29:34 303104 ( A.... ) "C:\WINDOWS\system32\WinNB57.dll"
2006-05-15 14:35:44 ( .D... ) "C:\Documents and Settings\Owner\Application Data\Opera"
2006-05-15 14:35:34 ( .D... ) "C:\Program Files\Opera"
2006-05-15 02:24:40 186396 ( A.... ) "C:\WINDOWS\pf78ba.exe"
2006-05-15 02:24:40 174666 ( A.... ) "C:\WINDOWS\pf78bb.exe"
2006-05-15 02:23:18 20480 ( A.... ) "C:\stub_venthh.exe"
2006-05-15 02:23:10 0 ( A.... ) "C:\WINDOWS\toolbar.exe"
2006-05-15 02:23:10 ( .D... ) "C:\Program Files\Common Files\wqfk"
2006-05-15 02:22:46 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-05-15 02:22:36 ( .D... ) "C:\Program Files\dobe"
2006-05-15 02:22:32 0 ( A.... ) "C:\WINDOWS\country.exe"
2006-05-15 02:22:24 114171 ( A.... ) "C:\WINDOWS\chadch.exe"
2006-05-15 02:22:22 42944 ( A.... ) "C:\WINDOWS\pop06ap2.exe"
2006-05-15 02:22:02 0 ( A.... ) "C:\WINDOWS\kl1.exe"
2006-05-15 02:21:40 48191 ( A.... ) "C:\WINDOWS\WPRE.exe"
2006-05-15 02:21:40 38037 ( A.... ) "C:\WINDOWS\system32\Win3.exe"
2006-05-15 02:21:32 33343 ( A.... ) "C:\WINDOWS\DHU.exe"
2006-05-04 00:26:22 5818784 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-05-01 17:25:18 ( .D... ) "C:\Program Files\MSN Messenger"
2006-04-30 13:48:24 ( .D... ) "C:\Program Files\MyWay"
2006-04-24 13:39:26 ( .D... ) "C:\Program Files\Winamp"
2006-04-19 16:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx0c.dll"
2006-04-19 16:09:20 778240 ( A.... ) "C:\WINDOWS\system32\divx_xx07.dll"
2006-04-19 16:09:20 761856 ( A.... ) "C:\WINDOWS\system32\divx_xx11.dll"
2006-04-19 16:09:20 619156 ( A.... ) "C:\WINDOWS\system32\DivX.dll"
2006-04-18 18:34:58 421888 ( ..... ) "C:\WINDOWS\system32\pxdrv.dll"
2006-04-18 18:34:58 372736 ( ..... ) "C:\WINDOWS\system32\px.dll"
2006-04-18 18:34:58 172032 ( ..... ) "C:\WINDOWS\system32\pxmas.dll"
2006-04-18 18:34:58 109568 ( ..... ) "C:\WINDOWS\system32\pxinsi64.exe"
2006-04-18 18:34:58 108544 ( ..... ) "C:\WINDOWS\system32\pxcpyi64.exe"
2006-04-18 18:34:58 61440 ( ..... ) "C:\WINDOWS\system32\pxhpinst.exe"
2006-04-18 18:34:58 56320 ( ..... ) "C:\WINDOWS\system32\pxinsa64.exe"
2006-04-18 18:34:56 339968 ( ..... ) "C:\WINDOWS\system32\pxwave.dll"
2006-04-18 18:31:14 1044480 ( A.... ) "C:\WINDOWS\system32\libdivx.dll"
2006-04-18 18:31:14 200704 ( A.... ) "C:\WINDOWS\system32\ssldivx.dll"
2006-04-18 18:30:58 3596288 ( A.... ) "C:\WINDOWS\system32\qt-dx331.dll"
2006-04-18 18:30:30 53248 ( A.... ) "C:\WINDOWS\system32\dpuGUI10.dll"
2006-04-18 18:30:28 593920 ( A.... ) "C:\WINDOWS\system32\dpuGUI11.dll"
2006-04-18 18:30:28 344064 ( A.... ) "C:\WINDOWS\system32\dpus11.dll"
2006-04-18 18:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu11.dll"
2006-04-18 18:30:28 294912 ( A.... ) "C:\WINDOWS\system32\dpu10.dll"
2006-04-18 18:30:28 200704 ( A.... ) "C:\WINDOWS\system32\dtu100.dll"
2006-04-18 18:30:28 90112 ( A.... ) "C:\WINDOWS\system32\dpl100.dll"
2006-04-18 18:30:28 57344 ( A.... ) "C:\WINDOWS\system32\dpv11.dll"
2006-04-18 18:30:24 245408 ( A.... ) "C:\WINDOWS\system32\unicows.dll"
2006-04-18 18:30:14 536576 ( A.... ) "C:\WINDOWS\system32\DivXsm.exe"
2006-04-10 14:37:12 118784 ( A.... ) "C:\WINDOWS\system32\DivXCodecUpdateChecker.exe"
2006-04-06 10:54:38 73728 ( A.... ) "C:\WINDOWS\system32\asuninst.exe"
2006-03-30 05:16:04 1492480 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-03-29 21:00:14 16384 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-03-23 16:32:42 3053568 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-03-21 20:38:44 12288 ( A.... ) "C:\WINDOWS\system32\DivXWMPExtType.dll"
2006-03-18 07:09:38 613376 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-03-17 05:07:18 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-03-17 00:03:54 8452096 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-03-16 20:38:02 28672 ( ..... ) "C:\WINDOWS\system32\verclsid.exe"
2006-03-10 06:09:14 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-03-08 16:50:50 102400 ( A.... ) "C:\WINDOWS\CCZoop05.exe"
2006-03-08 16:50:50 57344 ( A.... ) "C:\WINDOWS\uni_ehhh.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RemoteControl REG_SZ "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
NeroFilterCheck REG_SZ C:\WINDOWS\system32\NeroCheck.exe
SunKistEM REG_SZ C:\Program Files\Digital Media Reader\shwiconem.exe
<NO NAME> REG_SZ
TkBellExe REG_SZ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz REG_SZ nwiz.exe /install
NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
SoundMan REG_SZ SOUNDMAN.EXE
NVMixerTray REG_SZ "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
ATICCC REG_SZ "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
WinampAgent REG_SZ C:\Program Files\Winamp\winampa.exe
w1d7513a.dll REG_SZ RUNDLL32.EXE w1d7513a.dll,I2 000df09201d7513a
UserFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -u
adstart REG_SZ iexplore.exe http://iesettingsupdate
McRegWiz REG_SZ C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
MPFExe REG_SZ C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
MCAgentExe REG_SZ c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe REG_SZ c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
AIM REG_SZ C:\Program Files\AIM\aim.exe -cnetwait.odl
MsnMsgr REG_SZ "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Bxxwmep REG_SZ C:\Program Files\Common Files\??curity\s?chost.exe
Cpue REG_SZ "C:\WINDOWS\system32\WNSXS~1\fast.exe" -vt yazr

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
mcdsmo REG_SZ C:\WINDOWS\system32\mcdsmo.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
flags REG_DWORD 8 (0x8)

Scheduled Tasks Folder Contents
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\Symantec NetDetect.job

Completion time: Wed 06/07/2006 23:55:04.01
ComboFix ver 06.06.06 - This logfile is located at C:\ComboFix.txt

#8 Capthxc

Capthxc
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 07 June 2006 - 11:41 PM

Followed through the with the other steps as well. System seems to be running as good as new :thumbsup:

Here are the following log files as requested.

Logfile of HijackThis v1.99.1
Scan saved at 12:37:13 AM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe





L2M log


L2mfix 051206
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!
Killing 'smss.exe'
\SystemRoot\System32\smss.exe (520)
Killing 'winlogon.exe'
winlogon.exe (612)
Killing 'explorer.exe'
C:\WINDOWS\Explorer.EXE (1628)
Killing 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\djkquota.dll
Successfully Deleted: C:\WINDOWS\system32\djkquota.dll
Deleting: C:\WINDOWS\system32\djkquota.dll
Successfully Deleted: C:\WINDOWS\system32\djkquota.dll
Deleting: C:\WINDOWS\system32\dscdll.dll
Successfully Deleted: C:\WINDOWS\system32\dscdll.dll
Deleting: C:\WINDOWS\system32\dscdll.dll
Successfully Deleted: C:\WINDOWS\system32\dscdll.dll
Deleting: C:\WINDOWS\system32\h0n0la5m1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0n0la5m1d.dll
Deleting: C:\WINDOWS\system32\h0n0la5m1d.dll
Successfully Deleted: C:\WINDOWS\system32\h0n0la5m1d.dll
Deleting: C:\WINDOWS\system32\ksdbe.dll
Successfully Deleted: C:\WINDOWS\system32\ksdbe.dll
Deleting: C:\WINDOWS\system32\ksdbe.dll
Successfully Deleted: C:\WINDOWS\system32\ksdbe.dll
Deleting: C:\WINDOWS\system32\STTraES.dll
Successfully Deleted: C:\WINDOWS\system32\STTraES.dll
Deleting: C:\WINDOWS\system32\STTraES.dll
Successfully Deleted: C:\WINDOWS\system32\STTraES.dll
Deleting: C:\WINDOWS\system32\surobj.dll
Successfully Deleted: C:\WINDOWS\system32\surobj.dll
Deleting: C:\WINDOWS\system32\surobj.dll
Successfully Deleted: C:\WINDOWS\system32\surobj.dll
Deleting: C:\WINDOWS\system32\SXTraKO.dll
Successfully Deleted: C:\WINDOWS\system32\SXTraKO.dll
Deleting: C:\WINDOWS\system32\SXTraKO.dll
Successfully Deleted: C:\WINDOWS\system32\SXTraKO.dll
Deleting: C:\WINDOWS\system32\vnsapi.dll
Successfully Deleted: C:\WINDOWS\system32\vnsapi.dll
Deleting: C:\WINDOWS\system32\vnsapi.dll
Successfully Deleted: C:\WINDOWS\system32\vnsapi.dll

msg11?.dll
0 file(s) copied.



Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,1c,99,0a,5f,b0,e4,43,46,9b,56,99,de,98,00,2a,f5,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,c3,82,cb,1b,07,8f,f6,59,\
7d,9e,96,8e,55,a5,fc,d9,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,de,\
7f,49,a2,68,11,bd,c2,7a,c2,b2,17,87,29,4e,9f,08,06,00,00,e7,ec,9f,f0,df,f1,\
4c,a7,37,95,8f,67,93,0c,8e,1c,55,f5,ea,cf,6c,2f,71,a5,cb,9a,22,be,6a,62,7a,\
95,5d,87,dd,b8,d8,91,78,98,8f,4c,e0,8c,77,8f,4d,e3,78,7c,ad,3f,fb,34,15,c4,\
a3,8c,66,84,75,aa,45,4c,1e,c3,41,39,5c,42,b0,87,dd,a9,f2,a8,57,86,05,d8,6f,\
45,35,94,ca,92,95,af,eb,db,4e,2e,6d,ec,6e,bd,e8,2d,f9,0d,84,e6,dc,e7,36,a2,\
81,0c,4b,ce,f1,3e,92,51,63,50,d8,a3,d6,3c,2f,8a,f6,3b,93,a1,14,18,eb,81,87,\
08,1b,d2,d6,e3,9e,a7,97,c2,7f,42,b1,f7,01,93,ff,23,03,31,9d,a8,fd,a4,6b,b5,\
19,35,dd,9d,be,b0,e3,b8,6f,34,15,ca,16,6a,71,7c,0a,eb,6c,c2,6f,a8,4a,20,29,\
22,df,b3,c8,bd,b7,b2,e2,b5,a4,bf,c2,fc,60,84,30,96,6a,70,41,56,41,5f,19,1f,\
8d,e6,f8,62,a9,22,ee,bf,2e,e2,8b,4c,94,aa,87,66,ee,d4,98,ef,d8,75,7a,bf,77,\
dd,6c,1c,0f,3a,34,aa,3f,1a,26,40,2a,5b,cb,6f,8c,ed,2b,53,98,8f,9f,cf,af,77,\
4c,2b,5c,bb,61,38,f5,73,27,a0,ee,19,51,8b,a1,9d,f0,7c,32,6d,10,b4,7a,50,77,\
da,a1,59,e5,0c,41,57,66,0c,e2,3b,c3,87,f6,cc,a9,de,46,13,d2,27,09,af,fc,b8,\
8b,de,b2,4a,a9,56,ad,d8,83,80,de,09,4f,d8,e7,80,8e,7c,7c,b2,74,ac,8a,21,d3,\
80,8b,7f,e7,1f,50,19,69,2a,1c,15,26,2d,7c,fd,98,fe,64,fc,7d,8a,f2,2f,b6,62,\
c4,2f,6e,8c,43,31,c6,b2,e3,bc,43,13,1c,a6,9a,c7,1e,2b,51,e3,81,09,aa,7a,2e,\
6a,98,55,c9,df,f0,03,1f,3c,8b,f7,95,24,5f,72,81,d7,07,6f,c8,09,85,24,1f,d9,\
57,e5,db,e8,0b,4d,46,af,aa,31,f6,83,86,81,e0,94,1e,ae,2b,fd,cc,61,6f,4f,e0,\
5d,96,3e,1e,e4,1f,6e,00,94,e7,cb,82,0a,1c,f8,c4,99,92,bd,0a,53,99,cb,11,69,\
5f,42,87,8c,34,4b,6e,49,ee,4a,a8,f7,45,27,28,36,03,40,57,19,7d,31,ac,f6,bf,\
cb,41,0d,35,76,d4,2a,5b,15,3b,b3,9f,fb,b4,45,75,1c,df,57,fa,30,bf,d2,5b,b9,\
8d,3c,be,09,09,77,d1,5c,c5,f3,51,a0,7b,6d,7d,13,5c,ff,e1,30,1c,8e,0c,fd,e5,\
ee,f0,15,78,68,fd,53,d9,34,93,1f,43,e3,0b,f0,e7,af,a5,93,41,56,37,46,67,f2,\
79,93,1f,1d,cb,18,71,f7,d2,d1,e0,f0,1a,b2,f2,0f,55,bc,46,62,3f,b2,9c,ca,be,\
bd,ed,42,3c,a1,91,72,68,67,35,fb,98,20,68,2c,1f,d4,10,77,b0,10,f0,5e,1f,cc,\
f7,f4,70,c4,4e,95,15,c8,6f,29,bd,ac,bd,ed,63,72,08,f9,fa,e4,96,fc,37,da,fb,\
75,d4,d1,e7,91,a7,e5,27,ff,dd,51,00,ed,0a,31,b4,c6,14,c7,31,e2,c7,4f,24,7a,\
62,ec,c3,9f,df,15,20,40,18,bd,83,c4,cf,76,99,6d,48,b4,32,1d,d8,12,5b,96,cc,\
b2,8e,ea,01,60,5c,a5,01,c7,62,19,39,7e,bd,ea,ed,18,b4,2d,72,21,99,9e,8b,05,\
e2,d8,a8,e4,43,80,09,23,d2,b2,d1,bd,b0,a9,ff,1e,5e,f9,99,0d,69,1e,04,5d,40,\
db,fa,ca,f8,e4,af,e4,50,10,15,06,88,ca,66,cb,ba,d2,5b,cc,ff,eb,c2,1c,fb,a0,\
10,e5,80,d1,e1,99,21,5e,13,a3,5e,7c,a1,7e,df,7f,29,8a,0e,45,d1,47,9c,e7,2b,\
a8,85,cc,dd,4c,a2,53,a1,7d,c7,53,41,9a,c5,f5,41,99,cb,eb,dd,7c,2d,57,c2,d6,\
e3,e3,3c,1f,ae,4a,8f,f4,f8,9e,22,a2,77,17,87,98,10,0b,ed,90,db,f7,5f,39,c8,\
3f,ff,65,c6,6c,14,95,53,2e,60,05,de,c3,96,66,2d,04,6c,84,c5,c9,ce,ac,35,76,\
51,16,a4,8e,bf,2f,d7,d4,52,5d,13,b4,04,7b,e8,f6,27,70,ba,2b,c9,48,89,74,99,\
b9,e1,59,68,7b,d3,59,fc,93,61,1e,05,c0,dd,71,81,e3,1f,85,60,6b,fb,02,92,d8,\
76,14,e7,d3,d6,4c,ef,8f,06,d5,50,81,2b,29,83,21,d5,8d,10,58,4c,83,ef,5b,c6,\
6f,cd,95,57,6f,bb,38,10,8d,f1,3a,1f,2f,25,9e,6d,ce,0c,c2,d7,a1,48,34,8b,99,\
6f,dc,d0,52,05,07,b3,61,c3,8d,4e,20,35,d3,76,26,69,88,79,c1,8a,eb,25,8c,06,\
79,61,6d,db,b0,1b,9e,3d,37,02,53,e3,30,03,ab,08,a2,1f,b8,1d,9a,04,e9,de,98,\
44,d2,a7,15,e8,80,24,49,cb,16,d2,94,f1,e8,9e,db,3a,61,b5,39,c9,ca,a2,c8,bd,\
27,a6,5e,db,cb,16,b7,0f,57,89,aa,8e,d1,56,bb,49,83,6b,33,01,88,14,fc,b5,40,\
b2,74,bf,43,ab,6e,0b,49,86,62,43,f2,ef,aa,4f,8b,a3,0a,ad,57,55,bc,4a,f2,2c,\
54,c0,ed,a3,d2,69,ea,86,d6,98,ac,be,38,b8,cd,1c,54,5d,a8,a8,90,90,aa,11,45,\
9c,83,23,e6,20,39,be,01,ae,5a,bd,3b,30,0b,2d,ea,66,01,d6,70,2f,1b,17,d0,d2,\
a6,31,68,81,0d,68,9a,fc,5b,2c,ce,7d,22,6d,b4,9c,ab,7f,ab,30,a1,61,41,2f,87,\
85,ff,9c,be,7d,a0,48,c1,88,2b,7b,06,80,a4,eb,e7,dd,9e,41,89,cd,96,3a,48,52,\
9e,60,78,aa,f5,5d,05,1a,06,4a,9f,40,65,75,e3,07,97,16,6c,d2,ed,95,5d,7e,41,\
bf,70,a8,a7,34,b7,15,6f,f5,73,c9,2b,10,fa,6d,ca,8c,4c,da,e4,df,1c,60,71,58,\
47,41,0d,34,ba,61,88,bc,f6,00,8f,29,59,8c,8c,f3,92,09,f7,30,98,0d,3b,03,1d,\
c9,68,1d,df,9a,21,63,b8,7f,19,b1,1d,9c,e4,63,64,ea,5b,96,78,31,bd,d9,7e,de,\
80,dc,a0,21,5b,7c,6b,f1,1a,fe,41,43,af,b2,bb,df,e0,b7,85,d4,6a,58,96,9f,73,\
e9,e3,6a,6a,1a,62,eb,2a,56,92,e4,36,d7,49,ca,02,cd,a3,b9,4d,11,0c,70,59,99,\
e9,17,67,8e,85,b1,53,ce,38,84,62,56,cf,20,d7,c8,97,cf,42,b8,87,ff,a2,45,90,\
50,d5,82,2e,59,a1,e5,8c,53,1b,9a,b0,91,eb,c3,a0,3b,9e,1d,4f,61,4a,7a,83,3e,\
bc,81,7d,b6,b9,dd,90,29,01,14,30,44,e2,bf,71,f6,9b,9a,88,83,12,cc,07,a6,10,\
8d,9e,f1,f2,7e,6d,5d,39,91,65,a3,77,c9,6f,fa,49,59,2a,27,67,1e,1f,35,76,6c,\
2b,4d,06,b7,5d,2f,3f,0e,9d,24,0e,ae,75,7e,5f,e5,39,d5,f3,38,d8,8b,5b,d2,27,\
c2,d3,2a,6c,72,97,d6,72,81,92,9f,7e,c2,cf,15,e5,03,c1,62,d2,91,c3,9c,29,a6,\
05,26,88,2a,96,3c,b9,be,d4,37,66,08,15,6e,a7,a2,de,73,2d,3d,9e,60,87,cf,cb,\
fd,ed,60,ab,da,ab,95,d7,60,58,76,c4,1e,73,f4,61,1f,e1,00,f4,c2,03,ed,63,04,\
fe,cc,7a,55,6a,5f,7d,03,2e,76,c4,ff,ba,14,00,00,00,9e,dc,1e,f2,21,77,15,70,\
9d,7b,f8,53,53,4b,6f,01,3d,c1,6a,5a

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\djkquota.dll
C:\WINDOWS\system32\djkquota.dll
C:\WINDOWS\system32\dscdll.dll
C:\WINDOWS\system32\dscdll.dll
C:\WINDOWS\system32\h0n0la5m1d.dll
C:\WINDOWS\system32\h0n0la5m1d.dll
C:\WINDOWS\system32\ksdbe.dll
C:\WINDOWS\system32\ksdbe.dll
C:\WINDOWS\system32\STTraES.dll
C:\WINDOWS\system32\STTraES.dll
C:\WINDOWS\system32\surobj.dll
C:\WINDOWS\system32\surobj.dll
C:\WINDOWS\system32\SXTraKO.dll
C:\WINDOWS\system32\SXTraKO.dll
C:\WINDOWS\system32\vnsapi.dll
C:\WINDOWS\system32\vnsapi.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/djkquota.dll (188 bytes security) (deflated 48%)
adding: dlls/dscdll.dll (188 bytes security) (deflated 48%)
adding: dlls/h0n0la5m1d.dll (188 bytes security) (deflated 48%)
adding: dlls/ksdbe.dll (188 bytes security) (deflated 48%)
adding: dlls/STTraES.dll (188 bytes security) (deflated 48%)
adding: dlls/surobj.dll (188 bytes security) (deflated 48%)
adding: dlls/SXTraKO.dll (188 bytes security) (deflated 48%)
adding: dlls/vnsapi.dll (188 bytes security) (deflated 48%)
adding: backregs/notibac.reg (188 bytes security) (deflated 79%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 08 June 2006 - 05:46 AM

I'm not skilled at mincing words but you have a ridiculous amount of malware in this machine. What type of sites do you normally visit? This is one of the dirtiest machine I encountered in a long while.

Despite my reminders, you have not updated Java yet. Please tell me if you do not plan to update. If you do not plan to do so, I see no point in any further disinfection.

Kindly advise me as to how I should proceed.

#10 Capthxc

Capthxc
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 08 June 2006 - 03:10 PM

Sorry, forgot to mention that i did update java after running the scans. This is a shared computer with my roommate, i don't visit too many sites myself and mainly use the machine for gaming. The problems have just started recently, about 3 weeks ago when we updated a version of Divx. Right after installation we started encountering these problems and it totally destroyed the basic windows firewall. Cannot access it anymore. Currently, my system seems to be running fine, no pop ups at all and its running much better then it previously did. If there is anything else needed to be done i would greatly appreciate any more help provided.

#11 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 08 June 2006 - 11:54 PM

Try this link for repairing the firewall. Let me know if that worked. I have another link for it but can't recall where I placed it.


Please locate & delete the following files/folders:

C:\WINDOWS\system32\wintsvcc.exe
C:\WINDOWS\system32\javaw.dll
C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\dltbu.dll
C:\WINDOWS\system32\adrotate.dll
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\rlvknlg.exe
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\srvgluxqch.exe
C:\WINDOWS\system32\VSL03.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\system32\WinNB57.dll
C:\WINDOWS\pf78ba.exe
C:\WINDOWS\pf78bb.exe
C:\stub_venthh.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\country.exe
C:\WINDOWS\chadch.exe
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\kl1.exe
C:\WINDOWS\WPRE.exe
C:\WINDOWS\system32\Win3.exe
C:\WINDOWS\DHU.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\uni_ehhh.exe
C:\WINDOWS\system32\mcdsmo.exe
C:\Documents and Settings\Owner\Application Data\s?mbols\
C:\Program Files\?racle\
C:\Program Files\Common Files\??curity\
C:\Program Files\Common Files\wqfk\


If any resist deletions, reboot to Safe Mode & do it from there.



Have hijackthis fix this entry:

R3 - Default URLSearchHook is missing



Please download the file attached - [attachment=869:attachment]
Double-click the file within & allow it to merge with the Registry.
This will remove some malware entries from the Registry


Reboot your machine before posting another hijackthis log. Let me know if there are still anymore issues.

#12 Capthxc

Capthxc
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 09 June 2006 - 02:27 AM

Tried the info provided in the link for the firewall issue and it didnt help. The message i get when i try and open is "Due to an unidentified problem, Windows cannot display Windows firewall settings" Besides that everything seems to be running much better now, thanks. Here is the HJT log as requested after a reboot.

Logfile of HijackThis v1.99.1
Scan saved at 3:21:40 AM, on 6/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BigFix\BigFix.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 09 June 2006 - 10:55 AM

Had to do a bit of digging around but there ya go:

http://forum.osnn.net/showpost.php?p=710684&postcount=6

Let me know how it went.

#14 Capthxc

Capthxc
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 09 June 2006 - 02:11 PM

That seemed to do the trick. Thanks!

#15 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 09 June 2006 - 10:39 PM

Please post one more Hijacckthis log so that I check that you're still clean. If so, I shall post some security tips in my next post




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users