Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups


  • Please log in to reply
8 replies to this topic

#1 sholthaus22

sholthaus22

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 18 June 2006 - 08:42 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:37:38 AM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\AntiVirus\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\wuqkfzmA.exe
C:\DOCUME~1\STEVEN~1\APPLIC~1\CURITY~1\notepad.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ww.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\AntiVirus\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Yrozzc] C:\Documents and Settings\All Users\.clamwin\quarantine\Rwbs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [defender] c:\\defender26.exe
O4 - HKLM\..\Run: [w185b300.dll] RUNDLL32.EXE w185b300.dll,I2 00123b030185b300
O4 - HKLM\..\Run: [{17-75-5B-BE-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [wuqkfzmA] C:\WINDOWS\wuqkfzmA.exe
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\STEVEN~1\APPLIC~1\CURITY~1\notepad.exe" -vt yazr
O4 - HKCU\..\Run: [Qylhpalm] C:\Documents and Settings\Steven Holthaus\My Documents\?asks\mmc.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000140.exe
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\spoolsv.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\m8640ijqe8oe0.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thanks

BC AdBot (Login to Remove)

 


#2 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:01:52 PM

Posted 18 June 2006 - 09:40 AM

Hi sholthaus22 and welcome to Bleeping Computer.

You may wish to Subscribe to this thread (Options) so that you are notified when you receive a reply.


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.


Look2Me
Please Download Look2Me-Destroyer and save the file to your desktop.

* Print out these instructions and close ALL windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to "Run this program as a task".
* You will receive a message saying "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Click OK.
* When Look2Me-Destroyer re-opens, click the "Scan for L2M button", your desktop icons will disappear, this is normal.
* Once it's done scanning, click the "Remove L2M button".
* You will receive a "Done Scanning message", click OK.
* When completed, you will receive this message: "Done removing infected files! Look2Me-Destroyer will now shutdown your computer", click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt at the end of this fix.

If you receive a runtime error '339' please download MSWINSCK.OCX and place it in your C:\Windows\System32 Directory.


Please reply with C:\Look2Me-Destroyer.txt and a fresh HijackThis Log.
Iain
Win XP Pro / Win 7 Pro
Posted Image

#3 sholthaus22

sholthaus22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 20 June 2006 - 04:08 PM

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/20/2006 3:57:02 PM

Infected! C:\WINDOWS\system32\d20m0cd1ef0.dll
Infected! C:\RECYCLER\S-1-5-21-781783700-365980349-707723410-1006\Dc7.dll
Infected! C:\RECYCLER\S-1-5-21-781783700-365980349-707723410-1006\Dc9.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014729.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014730.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015003.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015014.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015027.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015049.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015061.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015065.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015082.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016077.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016100.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016134.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016141.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016148.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016149.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016162.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016172.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0016185.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0017170.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0017181.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017195.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017196.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017214.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017225.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017389.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017407.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017493.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017494.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017515.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017530.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017542.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017552.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017563.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017571.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017572.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017573.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017596.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017611.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017621.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017627.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017639.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017643.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017660.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017666.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017681.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017693.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017707.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017721.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017733.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017742.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017743.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017744.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017751.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017753.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017764.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017777.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017786.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017787.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017788.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP197\A0017802.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017870.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017876.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017891.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017904.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017913.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017923.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017939.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017953.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017965.dll
Infected! C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017978.dll
Infected! C:\WINDOWS\system32\d20m0cd1ef0.dll
Infected! C:\WINDOWS\system32\enjql1151.dll
Infected! C:\WINDOWS\system32\ijsetup.dll
Infected! C:\WINDOWS\system32\LRDIS11n.dll
Infected! C:\WINDOWS\system32\vha.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\d20m0cd1ef0.dll
C:\WINDOWS\system32\d20m0cd1ef0.dll Deleted successfully!

Attempting to delete: C:\RECYCLER\S-1-5-21-781783700-365980349-707723410-1006\Dc7.dll
C:\RECYCLER\S-1-5-21-781783700-365980349-707723410-1006\Dc7.dll Deleted successfully!

Attempting to delete: C:\RECYCLER\S-1-5-21-781783700-365980349-707723410-1006\Dc9.dll
C:\RECYCLER\S-1-5-21-781783700-365980349-707723410-1006\Dc9.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014729.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014729.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014730.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014730.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015003.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015003.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015014.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015014.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015027.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015027.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015049.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015049.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015061.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015061.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015065.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015065.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015082.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015082.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016077.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016077.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016100.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016100.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016134.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016134.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016141.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016141.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016148.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016148.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016149.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016149.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016162.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016162.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016172.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016172.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0016185.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0016185.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0017170.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0017170.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0017181.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0017181.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017195.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017195.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017196.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017196.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017214.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017214.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017225.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017225.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017389.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017389.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017407.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017407.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017493.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017493.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017494.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017494.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017515.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017515.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017530.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017530.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017542.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017542.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017552.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017552.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017563.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017563.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017571.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017571.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017572.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017572.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017573.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017573.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017596.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017596.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017611.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017611.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017621.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017621.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017627.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017627.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017639.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017639.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017643.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017643.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017660.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017660.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017666.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017666.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017681.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017681.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017693.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017693.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017707.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017707.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017721.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017721.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017733.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017733.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017742.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017742.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017743.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017743.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017744.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017744.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017751.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017751.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017753.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017753.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017764.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017764.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017777.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017777.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017786.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017786.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017787.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017787.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017788.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017788.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP197\A0017802.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP197\A0017802.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017870.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017870.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017876.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017876.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017891.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017891.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017904.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017904.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017913.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017913.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017923.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017923.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017939.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017939.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017953.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017953.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017965.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017965.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017978.dll
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017978.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\d20m0cd1ef0.dll
C:\WINDOWS\system32\d20m0cd1ef0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enjql1151.dll
C:\WINDOWS\system32\enjql1151.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ijsetup.dll
C:\WINDOWS\system32\ijsetup.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\LRDIS11n.dll
C:\WINDOWS\system32\LRDIS11n.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\vha.dll
C:\WINDOWS\system32\vha.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BFE237BB-71DF-4C5C-B481-6FAB6F735851}"
HKCR\Clsid\{BFE237BB-71DF-4C5C-B481-6FAB6F735851}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8B01EB18-BAFB-446A-8E92-43ED9FB0BA23}"
HKCR\Clsid\{8B01EB18-BAFB-446A-8E92-43ED9FB0BA23}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1A851B44-55D0-4667-B1D1-A3E1C1D1C31E}"
HKCR\Clsid\{1A851B44-55D0-4667-B1D1-A3E1C1D1C31E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{075D6058-7458-4CDF-8BA9-A9B9F405386A}"
HKCR\Clsid\{075D6058-7458-4CDF-8BA9-A9B9F405386A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FF9C83C2-DF18-4672-9E22-7AB63D3F7B84}"
HKCR\Clsid\{FF9C83C2-DF18-4672-9E22-7AB63D3F7B84}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C4DD759D-5AD0-4F2B-B6C5-E5C17973CC9B}"
HKCR\Clsid\{C4DD759D-5AD0-4F2B-B6C5-E5C17973CC9B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D11D853F-F9A1-4E30-A1FB-A89CF35A0DFC}"
HKCR\Clsid\{D11D853F-F9A1-4E30-A1FB-A89CF35A0DFC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E6F2894D-039A-4869-9279-7DF745C51A08}"
HKCR\Clsid\{E6F2894D-039A-4869-9279-7DF745C51A08}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{694C9224-0BE3-43AC-B00A-08C960586F6C}"
HKCR\Clsid\{694C9224-0BE3-43AC-B00A-08C960586F6C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0B2F1F6E-920D-48F6-A4C5-5F6419811A0E}"
HKCR\Clsid\{0B2F1F6E-920D-48F6-A4C5-5F6419811A0E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{37434CDE-0A20-4C10-B33B-DAF47328F06E}"
HKCR\Clsid\{37434CDE-0A20-4C10-B33B-DAF47328F06E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DB3831B0-CB99-4372-A1E8-CEE934390080}"
HKCR\Clsid\{DB3831B0-CB99-4372-A1E8-CEE934390080}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 4:04:14 PM, on 6/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\AntiVirus\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\wuqkfzmA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\DOCUME~1\STEVEN~1\APPLIC~1\CURITY~1\notepad.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ww.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\AntiVirus\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Yrozzc] C:\Documents and Settings\All Users\.clamwin\quarantine\Rwbs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [defender] c:\\defender26.exe
O4 - HKLM\..\Run: [w185b300.dll] RUNDLL32.EXE w185b300.dll,I2 00123b030185b300
O4 - HKLM\..\Run: [{17-75-5B-BE-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [wuqkfzmA] C:\WINDOWS\wuqkfzmA.exe
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\STEVEN~1\APPLIC~1\CURITY~1\notepad.exe" -vt yazr
O4 - HKCU\..\Run: [Qylhpalm] C:\Documents and Settings\Steven Holthaus\My Documents\?asks\mmc.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000140.exe
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\spoolsv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thanks Glaswegian for the instructions and all your help to come.

#4 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:01:52 PM

Posted 27 June 2006 - 03:22 PM

Hi again

Please accept my apologies for the delay in replying.

I shall return shortly with further instructions.
Iain
Win XP Pro / Win 7 Pro
Posted Image

#5 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:01:52 PM

Posted 27 June 2006 - 03:49 PM

Hi again

Apologies again for not replying – in amongst the various logs I seemed to have missed yours. No excuses.

There is still some work to do, so let’s crack on.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.


If there is anything you don't understand, please ask BEFORE proceeding with the fixes.


Please ensure that you follow the instructions in the order I have them listed.



Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.



Disable Microsoft Defender
Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!


Download Ewido Anti-Malware
This is a 30 day trial
  • Install Ewido Anti-Malware.
  • Double-click the icon on Desktop to launch Ewido
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"[list]
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • I also recommend changing the "Update interval" to something more reasonable like 12 hours.
If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.


Download CWShredder and run it. Click Check for Update. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.


Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:BFU).

Do not do anything with these yet!



Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):

PurityScan by OIN
Snowball Wars by OIN
Yazzle by OIN
or any programs by OIN


Please let me know if none of these programs are listed.




HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [w185b300.dll] RUNDLL32.EXE w185b300.dll,I2 00123b030185b300
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [wuqkfzmA] C:\WINDOWS\wuqkfzmA.exe
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\STEVEN~1\APPLIC~1\CURITY~1\notepad.exe" -vt yazr
O4 - HKCU\..\Run: [Qylhpalm] C:\Documents and Settings\Steven Holthaus\My Documents\?asks\mmc.exe
O4 - HKCU\..\Run: [PECarlin] "C:\Program Files\PECarlin\PECarlin.exe"
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll


Please remember to close all other windows, including browsers then click Fix checked.



File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\x3cqp0.dll
w185b300.dll <- - Go to Start > Search to find this file
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\wuqkfzmA.exe
C:\DOCUMENTS AND SETTINGS\STEVEN~1\APPLICATION DATA\CURITY~1 <- - The "?" may be any character
C:\Documents and Settings\Steven Holthaus\My Documents\?asks <- - The "?" may be any character
C:\Program Files\PECarlin



Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.



Run Ewido
Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
  • When the scan is complete do the following: f you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop (make sure to remember where you saved that file, this is important).

NOTE: Ewido scan may require an hour.



Run the Brute Force Uninstaller
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal Windows.


Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan




Logs required
Ewido Log
Panda Log
HijackThis Log


Please also let me know how your system is performing now and if you have any specific problems.
Iain
Win XP Pro / Win 7 Pro
Posted Image

#6 sholthaus22

sholthaus22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 29 June 2006 - 05:41 PM

CWShredder did not attempt to delete any random files.
No programs by OIN were listed.

I just finished running through your instructions, so I'm not currently aware of any specific system problems, but I'll let you know if I notice any in a few days or after you reply.

Could you tell me what programs I should keep and perhaps a weekly routine I should follow to maintain a clean system. I have Windows Defender, ClamWin, Ad-Aware, and Spybot (I'm pretty sure you already know what's on my system) plus what you had me install with the last instructions.

Thanks for any recomendations, here are my new logs.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:30:38 PM 6/29/2006

+ Scan result:



HKU\S-1-5-21-781783700-365980349-707723410-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : No action taken.
HKU\S-1-5-21-781783700-365980349-707723410-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4006DCA3-433D-4FC8-AC36-42DA7797DCB7} -> Adware.eZula : No action taken.
HKU\S-1-5-21-781783700-365980349-707723410-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{55BE9F0D-6CAF-4C3E-B125-5A13A8C9D0EC} -> Adware.Generic : No action taken.
HKU\S-1-5-21-781783700-365980349-707723410-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : No action taken.
C:\Program Files\Common Files\services.exe -> Adware.Maxifiles : No action taken.
C:\Program Files\DNS\Catcher.dll -> Adware.Maxifiles : No action taken.
C:\Program Files\DNS\cwebpage.dll -> Adware.Maxifiles : No action taken.
C:\WINDOWS\system32\spoolsv.dll -> Adware.PurityScan : No action taken.
[196] C:\WINDOWS\system32\spoolsv.dll -> Adware.PurityScan : No action taken.
[244] C:\WINDOWS\system32\spoolsv.dll -> Adware.PurityScan : No action taken.
[256] C:\WINDOWS\system32\spoolsv.dll -> Adware.PurityScan : No action taken.
[408] C:\WINDOWS\system32\spoolsv.dll -> Adware.PurityScan : No action taken.
[672] C:\WINDOWS\system32\spoolsv.dll -> Adware.PurityScan : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} -> Adware.Shorty : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} -> Adware.Shorty : No action taken.
HKU\S-1-5-21-781783700-365980349-707723410-1006\Software\DNS -> Adware.Shorty : No action taken.
HKU\S-1-5-21-781783700-365980349-707723410-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} -> Adware.Shorty : No action taken.
C:\WINDOWS\Setup.exe -> Backdoor.IRCBot.qc : No action taken.
C:\WINDOWS\offun.exe -> Downloader.VB.nw : No action taken.
C:\Documents and Settings\All Users\.clamwin\quarantine\outlook.exe -> Worm.VB.dw : No action taken.


::Report end

Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\spoolsv.dlll
Adware:adware/popper Not disinfected c:\windows\offun.exe
Adware:adware/wupd Not disinfected c:\program files\MediaGateway
Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Virus:Trj/Gaodrop.A Disinfected
C:\Documents and Settings\AllUsers\.clamwin\quarantine\outlook.exe
Potentially unwanted tool:Application/Zango Not disinfected
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
Virus:W32/Sdbot.HLL.worm Disinfected C:\WINDOWS\Setup.exe

Logfile of HijackThis v1.99.1
Scan saved at 5:21:26 PM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\AntiVirus\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ww.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\AntiVirus\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Yrozzc] C:\Documents and Settings\All Users\.clamwin\quarantine\Rwbs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [{17-75-5B-BE-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\spoolsv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#7 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:01:52 PM

Posted 30 June 2006 - 05:14 PM

Hi again

You’ll need to run Ewido again – it appears it was set to ‘take no action’ rather than ‘quarantine’. Please follow the instructions set out below.


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.


Prepare Ewido
  • Double-click the icon on Desktop to launch Ewido
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • I also recommend changing the "Update interval" to something more reasonable like 12 hours.
If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.



Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.
Uninstall Programmes
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):

Mediagateway
Zango or anything similar




HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

O4 - HKLM\..\Run: [{17-75-5B-BE-ZN}] c:\windows\system32\dwdsregt.exe GID003
O20 - AppInit_DLLs: C:\WINDOWS\system32\spoolsv.dll


Please remember to close all other windows, including browsers then click Fix checked.




File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\spoolsv.dlll
c:\windows\offun.exe
c:\program files\MediaGateway
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\spoolsv.dll



Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.
Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.



Run Ewido
Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
  • When the scan is complete do the following: f you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop (make sure to remember where you saved that file, this is important).

NOTE: Ewido scan may require an hour.



Reboot
Reboot your system in Normal Mode.



Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
  • Extended
Scan Options:
  • Scan Archives
  • Scan Mail Bases
Click OK

Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post back with the Kaspersky Log, Ewido Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems.
Iain
Win XP Pro / Win 7 Pro
Posted Image

#8 sholthaus22

sholthaus22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 01 July 2006 - 09:21 PM

I did not have to change any of the Ewido setings, and it had quarantined C:\WINDOWS\wuqkfzmA.exe
Ewido did not find any infections during this scan.
I received an Error #5 message when I attempted to fix spoolsv.dll with hijackthis, however, it wasn't there when I ran another scan.
You listed spoolsv.dll twice under files that should be deleted. Was one of those meant to be spoolsv.exe?

Infected Object Name Virus Name Last Action
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014698.exe Infected: Trojan-Downloader.Win32.Adload.bu skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014700.exe Infected: Backdoor.Win32.VB.ary skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP182\A0014708.exe Infected: Trojan-Downloader.Win32.VB.adw skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP183\A0014781.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0014879.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP186\A0014898.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP186\A0014909.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP186\A0014933.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0014948.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0014959.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0014964.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0014983.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015000.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015013.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015038.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015059.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP187\A0015076.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016074.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016087.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016093.exe Infected: Backdoor.Win32.IRCBot.qc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016108.exe Infected: Trojan-Dropper.Win32.Mudrop.bq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016112.exe Infected: Backdoor.Win32.IRCBot.dd skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016132.exe Infected: Backdoor.Win32.IRCBot.dd skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016138.exe Infected: Trojan-Downloader.Win32.Adload.bx skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016150.exe Infected: Backdoor.Win32.IRCBot.qc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016153.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016171.exe Infected: Trojan-Downloader.Win32.PurityScan.cl skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP188\A0016173.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0016182.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0016190.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0017179.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP189\A0017191.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017205.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP190\A0017224.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017230.exe Infected: Trojan-Downloader.Win32.VB.aeo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017416.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017487.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0017502.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017526.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017538.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017550.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017560.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017570.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017583.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP192\A0017586.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017606.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017617.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0017635.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017638.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.l skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017638.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017651.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017675.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017691.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017702.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017716.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP194\A0017729.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017739.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017748.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.l skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017748.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0017761.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017772.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP196\A0017785.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP197\A0017812.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017857.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017886.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017900.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP198\A0017912.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017933.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017947.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017961.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017974.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0017986.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0018132.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP199\A0018142.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP200\A0018161.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP200\A0018172.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP201\A0018191.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP203\A0018211.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP203\A0018225.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP203\A0018239.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP203\A0018263.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP203\A0018270.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP204\A0018287.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP204\A0018297.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP204\A0018298.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP204\A0018300.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP204\A0018312.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP205\A0018322.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP206\A0018344.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP206\A0018352.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018368.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018379.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018389.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018402.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018404.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018415.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018417.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018432.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018446.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018458.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0018475.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP208\A0018479.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP208\A0018480.exe Infected: Backdoor.Win32.IRCBot.qc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP210\A0018579.exe Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\WINDOWS\system32\spoolsv.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped

Logfile of HijackThis v1.99.1
Scan saved at 9:10:40 PM, on 7/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\AntiVirus\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ww.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\AntiVirus\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Yrozzc] C:\Documents and Settings\All Users\.clamwin\quarantine\Rwbs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#9 Glaswegian

Glaswegian

    Defender of the Haggis


  • Malware Response Team
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Glasgow
  • Local time:01:52 PM

Posted 02 July 2006 - 02:34 PM

Hi again

Looks good. Spoolsv.exe is for your printer – the .dll was a bad file. Ewido had listed a different .dll file from the one listed by HJT.


That file is still showing in Kaspersky – let’s use HJT to get rid of it.

Open HijackThis and click on the Config... button at the bottom right. (Note: if HJT opens to the Welcome screen, click "Do a system scan only")
  • Click the Misc Tools button
  • Click the Delete a file on reboot button on the left
  • Browse to the file and click Open
  • HJT will prompt you to restart the computer - click Yes
The computer will now reboot.


Let me know if that was successful or if you could not find the file.
Iain
Win XP Pro / Win 7 Pro
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users