Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Figuring Out What's Wrong With My Computer!


  • This topic is locked This topic is locked
13 replies to this topic

#1 Castonguay

Castonguay

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 21 June 2006 - 02:29 AM

I have run Norton Antivirus and it has come up with multiple problems that it has quarantined and I have deleted. One scan said it came up with the file names of backdoor.dsnx which I deleted, but when I ran regedit the key was not present, so I don't know if that particular problem is solved or if it is still affecting my computer. Otherwise,I am bombarded by ads and popups when using IE. My friends are trying to help me but they are both former windows users who have converted to macs and are now laughing in my face (great friends they are). Any help is *much* appreciated!

EDIT: Since I posted this log I've moved HijackThis to it's own folder in the C drive, I had it on the desktop earlier, if I need to repost a new log now with it moved please let me know!

Logfile of HijackThis v1.99.1
Scan saved at 3:21:15 AM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\relocater.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxsrvc.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\dfndr.exe
C:\WINNT\system32\pwinlqez.exe
C:\WINNT\system32\mptft.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\nr1rnqm8.exe
C:\WINNT\system32\ssec.exe
C:\WINNT\system32\tfthot.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINNT\cfg32.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\CURITY~1\ati2evxx.exe
C:\WINNT\system32\SKS~1\nopdb.exe
C:\WINNT\cfg32a.exe
c:\dfndra.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.19.52.115:1350
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\ikomd.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,tfvqnvg.exe
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [defender] c:\\dfndra.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrd.exe
O4 - HKLM\..\Run: [newname] c:\\nwnm.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\pwinlqez.exe GID003
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINNT\cfg32.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Xaxf] C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\CURITY~1\ati2evxx.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINNT\system32\SKS~1\nopdb.exe" -vt ndrv
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\pwinlqez.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram2c.vcu.edu/iNotes6W.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINNT\system32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\fp6203joe.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: SharedDLLs - C:\WINNT\system32\oyengl32.dll (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINNT\system32\oyengl32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINNT\relocater.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by Castonguay, 21 June 2006 - 03:36 AM.


BC AdBot (Login to Remove)

 


#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 AM

Posted 21 June 2006 - 06:23 AM

Hello and welcome to BC :thumbsup:

Please disable Windows Defender Real Time Protection as it may interfere with the fix.

To disable Windows Defender:
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
Once your log is clean you can re-enable Windows Defender Real Time Protection.

=============================

Download AlcanShorty .
  • Click the download button and agree to download the fix.
  • Download Alcanshorty to your desktop.
  • DoubleClick alcanshorty_en.exe and click install
  • This will create a new folder on your desktop called alcanshorty_en
  • Open that folder
  • doubleclick Run.bat
  • Once the fix starts, your icons and desktop will disappear, this is normal.
Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,
because alcanshorty needs to download some additional files to let the tool run properly.
  • Wait for the complete script execution box to popup
  • press OK.
  • Press exit to terminate the BFU program.
=============================

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it

=============================

Download and install Ewido Anti-Malware to your desktop

Click on shield tab and change the Resident Shield to inactive.

Check for updates but do not run it yet.

============================

Download
Combofix.zip by sUBs .
Unzip it to its own folder.
Read here how to unzip/extract properly.
Open the Combofix folder and doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Save this log please.
============================

Please download Dr.Web CureIt to the desktop. Do not scan with it yet.

============================

Reboot your computer in Safe Mode using the F8 method below. Let me know if you run into any problems doing that:

a. If the computer is running, shut down Windows, and then turn off the power.
b. Wait 30 seconds, and then turn the computer on.
c. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
d. Ensure that the Safe Mode option is selected.
e. Press Enter. The computer then begins to start in Safe mode.

============================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user

============================

From Safe Mode run Ewido
  • Close ALL open Windows / Programs / Folders.
  • Please start Ewido
  • Run a full system scan.
  • Save the report.
=============================

Still in Safe Mode
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
==============================

Reboot in Normal Mode

==============================

Please post:

a fresh HijackThis log
Ewido report
Dr.WebCurit log
ComboFix log

You may have to post them separately if too long.

#3 Castonguay

Castonguay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 21 June 2006 - 09:39 PM

Thanks for the reply, I have run into one problem while in safe mode. I have run the scan using ewido and it has finished, but it seems the resolution of my screen in safe mode is too small because parts of the ewido window have been cut off. I cannot read the gray boxes that tell me what action I can take. I don't know how to save the log or (if I am supposed to) delete the infections Ewido found. There appears to be three of the rectangular gray boxes. The last box looks like it *could* say new scan, but that's just me guessing! Not quite sure where to go from here ^^;

EDIT: I managed to save the report, but am I supposed to use Ewido to remove the things is found or just use it to get a report/log?

Edited by Castonguay, 21 June 2006 - 09:44 PM.


#4 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 AM

Posted 21 June 2006 - 09:49 PM

Once the scan finishes, select Apply all actions (The items found will be quarantined)

#5 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 AM

Posted 21 June 2006 - 09:51 PM

And, yes, save the report too.

#6 Castonguay

Castonguay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 June 2006 - 12:35 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:33:08 AM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\nr1rnqm8.exe
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\CURITY~1\ati2evxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe
C:\WINNT\system32\SKS~1\nopdb.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Windows Defender\MpCmdRun.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.19.52.115:1350
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINNT\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINNT\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Xaxf] C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\CURITY~1\ati2evxx.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINNT\system32\SKS~1\nopdb.exe" -vt ndrv
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram2c.vcu.edu/iNotes6W.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINNT\system32\x3cqp0.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINNT\relocater.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:54:02 PM 6/21/2006

+ Scan result:



C:\Documents and Settings\Justin Castonguay\Local Settings\Temp\res6B4.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\WINNT\icont.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\Program Files\MSN Messenger\msgrapp.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Documents and Settings\Justin Castonguay\Local Settings\Temp\THI12AF.tmp\imGiant.cab/imGiant.dll -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP185\A0022492.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP186\A0022527.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP186\A0023490.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP187\A0023516.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP187\A0023564.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP188\A0024564.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP189\A0024601.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP190\A0024628.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP190\A0025635.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP190\A0025636.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP191\A0025646.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP191\A0025694.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP192\A0025792.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP192\A0025794.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP196\A0026314.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP196\A0026332.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP196\A0027337.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP197\A0027346.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\WINDOWS\Buddy.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\WINDOWS\tetwrccdb.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\stub_sca3[1].exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\qxvqutzm.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9\!update-3920[1].0000 -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\Program Files\Оracle\msdtc.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\E44899B8-A44F-4F55-ADA4-EC321D\B8A4AC09-C7B1-4407-A12A-8BABE4 -> Adware.ImiBar : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9\Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand.1 -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CLSID -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Cleaned with backup (quarantined).
C:\WINNT\system32\ping.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINNT\system32\tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINNT\system32tfthot.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINNT\system32\gbe90qs.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\Common Files\qoow\qoowd\qoowc.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9\WHCC2[1].exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9\WHCC2[2].exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TNBBKETZ\ZIGID003[1].exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\medo.dl -> Backdoor.Flood : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\kybrd[1].exe -> Downloader.Adload.cf : Cleaned with backup (quarantined).
C:\QooBox\dmonwv.dll.vir -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TNBBKETZ\wd7gi8n[1].exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\wd7gi8n.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP196\A0026315.exe -> Downloader.INService.ja : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP196\A0026317.exe -> Downloader.INService.ja : Cleaned with backup (quarantined).
C:\WINNT\system32\Таsks\nopdb.exe -> Downloader.PurityScan.cs : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\installerwnus[2].exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\QooBox\ikomd.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\kikjj.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\rbxidp.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\tfvqnvg.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\xixitxr.dll.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\xxmlo.dat.vir -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\Common Files\qoow\qoowp.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\qoow\qoowa.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\Program Files\Common Files\qoow\qoowm.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TNBBKETZ\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\Program Files\Common Files\qoow\qoowl.exe -> Downloader.TSUpdate.p : Cleaned with backup (quarantined).
C:\526_620.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TNBBKETZ\526_620[1].exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TNBBKETZ\526_620[2].exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\SS1001[1].exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\gkyukar[1].cab/mptft.exe -> Hijacker.StartPage.ajj : Cleaned with backup (quarantined).
C:\WINNT\system32\mptft.exe -> Hijacker.StartPage.ajj : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\nwnm[1].exe -> Hijacker.VB.fb : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.122:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.123:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.124:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.125:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned.
:mozilla.190:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.85:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.86:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.87:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.88:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.89:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.90:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.167:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.168:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.169:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.170:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.10:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.13:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.14:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.15:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.16:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.17:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.18:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.20:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.21:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.26:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.27:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.28:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.29:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.31:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.33:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.34:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.35:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.36:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.37:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.40:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.42:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.43:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.44:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.45:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.46:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.47:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.48:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.76:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.133:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.134:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.135:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.136:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@cliks[1].txt -> TrackingCookie.Cliks : Cleaned.
:mozilla.198:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.199:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.82:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.78:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.79:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.80:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.222:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.223:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.224:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.166:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.163:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.164:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.165:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.207:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.196:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.197:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.215:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.216:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.217:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.218:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@www.sidefind[2].txt -> TrackingCookie.Sidefind : Cleaned.
:mozilla.189:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
:mozilla.93:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.182:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.183:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.184:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.185:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.186:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.187:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.200:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.91:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.92:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@server3.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.56:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.57:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.58:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.59:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.60:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Justin Castonguay\Cookies\justin castonguay@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.171:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.172:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.173:C:\Documents and Settings\Justin Castonguay\Application Data\Mozilla\Firefox\Profiles\pgu18rra.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\Microsoft AntiSpyware\Quarantine\AD2614A5-2287-4FEB-9769-C42581\5A8FDEF4-5D1E-46EA-911A-50C251 -> Trojan.Agent.db : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\F47DE1B2-FAD3-44C3-B12B-A91290\6B6AE3F7-EA9F-447A-BF03-630450 -> Trojan.Agent.gp : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\F47DE1B2-FAD3-44C3-B12B-A91290\6FCF3FD0-6B36-480E-A2CF-3F0EC5 -> Trojan.Agent.gp : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\F47DE1B2-FAD3-44C3-B12B-A91290\982D171B-A8C4-4C09-A5D4-95501C -> Trojan.Agent.gp : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\F47DE1B2-FAD3-44C3-B12B-A91290\D601AE33-6E67-433D-B0CC-82027B -> Trojan.Agent.gp : Cleaned with backup (quarantined).
C:\WINNT\system32\ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).
C:\WINNT\system32ssec.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\zema -> Worm.Randon.am : Cleaned with backup (quarantined).


::Report end

Edited by Castonguay, 22 June 2006 - 12:38 AM.


#7 Castonguay

Castonguay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 June 2006 - 12:36 AM

Dr Web:

ssn6tuu.exe;C:\WINNT\system32;Adware.Yavak;;
ati2evxx.exe;C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\CURITY~1;Adware.ClickSpring;;
relocater.exe;C:\WINNT;Win32.HLLW.MyBot.based;Deleted.;
1049174_4588_2376_4516_63.41.tmp1;C:\Documents and Settings\Justin Castonguay\Local Settings\Temp;Adware.EliteBar;;
197446_3064_4004_2680_63.41.tmp1;C:\Documents and Settings\Justin Castonguay\Local Settings\Temp;Adware.EliteBar;;
2163618_4216_956_2056_63.41.tmp1;C:\Documents and Settings\Justin Castonguay\Local Settings\Temp;Adware.EliteBar;;
3080980_5804_2576_1264_62.41.tmp1;C:\Documents and Settings\Justin Castonguay\Local Settings\Temp;Adware.EliteBar;;
524524_2284_956_5916_63.41.tmp1;C:\Documents and Settings\Justin Castonguay\Local Settings\Temp;Adware.EliteBar;;
721144_2832_4004_2340_63.41.tmp1;C:\Documents and Settings\Justin Castonguay\Local Settings\Temp;Adware.EliteBar;;
MiniBug.exe;C:\Documents and Settings\Justin Castonguay\Local Settings\Temp;Adware.Aws;;
installer[2].exe;C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TNBBKETZ;Trojan.Proxy.493;Incurable.Moved.;
maxidr[1].avi;C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9;Trojan.DownLoader.9894;Incurable.Moved.;
maxidr[3].avi;C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9;Trojan.DownLoader.9894;Incurable.Moved.;
mc-110-12-0000228[1].exe;C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9;Trojan.DownLoader.10320;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;;
kyze.html\Javascript.0;C:\Program Files\Common Files\kyze.html;Trojan.Click.1237;;
kyze.html;C:\Program Files\Common Files;Archive contains infected objects;Moved.;
howywy.html\Javascript.0;C:\Program Files\NetMeeting\howywy.html;Trojan.Click.1237;;
howywy.html;C:\Program Files\NetMeeting;Archive contains infected objects;Moved.;
A0026316.exe;C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP196;BackDoor.IRC.based;Deleted.;
lrdebbe.exe;C:\WINDOWS;Adware.BetterInternet;;
unstall.exe;C:\WINDOWS;Adware.SAHAgent;;
GTDownDE_87.ocx;C:\WINDOWS\SYSTEM32;Adware.Gdown;;
silent_setup[2].exe;C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LIZH3SW4;Adware.EliteBar;;
comserv.exe;C:\WINNT;Adware.DollarRevenue;;
mc-110-12-0000488.exe;C:\WINNT;Trojan.DownLoader.10320;Incurable.Moved.;

#8 Castonguay

Castonguay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 June 2006 - 12:38 AM

Start Time= Wed 06/21/2006 20:26:42.41
Running from: C:\DOCUME~1\ADMINI~1.OWN\DESKTOP\COMBOFIX.EXE

(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform]
"sv1"=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"="Adobe.Acrobat.ContextMenu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{28710882-150A-48A6-A858-2FC774BA822E}"="Viewpoint Photos Shell Extension"
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}"="Messenger Sharing Folders"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINNT\SYSTEM32\f6l02g3mg6.dll
C:\WINNT\SYSTEM32\fnl0213mg.dll
C:\WINNT\SYSTEM32\fp6203joe.dll
C:\WINNT\SYSTEM32\fp8203loe.dll
C:\WINNT\SYSTEM32\guard.tmp
C:\WINNT\SYSTEM32\h02olaf31d2.dll
C:\WINNT\SYSTEM32\i0nmla511d.dll
C:\WINNT\SYSTEM32\vyrifier.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

20:31:17.66

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINNT\system32\rbxidp.exe
C:\WINNT\system32\rbxidp.exe
C:\WINNT\system32\ikomd.exe
C:\WINNT\SYSTEM32\TFVQNVG.EXE


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINNT\system32\xxmlo.dat
C:\WINNT\system32\xixitxr.dll
C:\WINNT\system32\xixitxr.dll
C:\WINNT\system32\tfvqnvg.exe
C:\WINNT\system32\rbxidp.exe
C:\WINNT\system32\rbxidp.exe
C:\WINNT\system32\rbxidp.exe
C:\WINNT\system32\ikomd.exe
C:\WINNT\qveot.dll
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\kikjj.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-20 22:26:56 127,488 "C:\WINNT\system32\rbxidp.exe"
2006-06-20 22:26:12 45,056 "C:\WINNT\system32\tfthot.exe"
2006-06-21 02:48:34 28,672 "C:\WINNT\system32\ikomd.exe"
2006-06-15 18:39:06 131,072 "C:\WINNT\system32\mptft.exe"
2006-06-20 23:39:44 2 "C:\WINNT\system32\wtssu.exe"
2006-06-21 02:58:04 32,256 "C:\WINNT\system32\dmonwv.dll"
2006-05-10 01:23:00 55,808 "C:\WINNT\system32\extmgr.dll"
2006-05-10 01:23:00 96,256 "C:\WINNT\system32\inseng.dll"
2006-05-19 11:08:32 3,052,544 "C:\WINNT\system32\mshtml.dll"
2006-05-10 01:23:02 532,480 "C:\WINNT\system32\mstime.dll"
2006-05-10 01:23:02 613,888 "C:\WINNT\system32\urlmon.dll"
2006-06-20 22:26:12 208,896 "C:\WINNT\system32\x3cqp0.dll"
2006-06-20 22:26:12 28,672 "C:\WINNT\system32\gbe90qs.exe"
2006-06-15 15:26:44 1,142,784 "C:\WINNT\system32\ssn6tuu.exe"
2006-06-20 22:27:00 23,552 "C:\WINNT\system32\tfvqnvg.exe"
2006-05-10 01:23:00 151,040 "C:\WINNT\system32\cdfview.dll"
2006-05-10 01:23:00 357,888 "C:\WINNT\system32\dxtmsft.dll"
2006-05-10 01:23:00 205,312 "C:\WINNT\system32\dxtrans.dll"
2006-05-10 01:23:00 251,392 "C:\WINNT\system32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINNT\system32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINNT\system32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINNT\system32\jscript.dll"
2006-05-10 01:23:00 16,384 "C:\WINNT\system32\jsproxy.dll"
2006-05-10 01:23:02 39,424 "C:\WINNT\system32\pngfilt.dll"
2006-05-29 11:30:34 1,494,016 "C:\WINNT\system32\shdocvw.dll"
2006-05-10 01:23:02 474,112 "C:\WINNT\system32\shlwapi.dll"
2006-06-20 22:26:18 8,464 "C:\WINNT\system32\sporder.dll"
2006-05-10 01:23:04 658,432 "C:\WINNT\system32\wininet.dll"
2006-06-21 02:48:34 51,712 "C:\WINNT\system32\xixitxr.dll"
2006-05-10 01:23:00 1,054,208 "C:\WINNT\system32\danim.dll"
2006-06-20 22:26:56 127,488 "C:\WINNT\system32\xxmlo.dat"
2006-06-21 20:14:16 363 "C:\WINNT\qveot.dll"
2006-06-21 02:58:04 53 "C:\WINNT\bnlpcw.dat"
2006-06-21 02:48:34 127,488 "C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\kikjj.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/21/2006 02:48 AM 127,488 kikjj.exe.vir
06/20/2006 10:26 PM 127,488 rbxidp.exe.vir
06/20/2006 10:26 PM 127,488 xxmlo.dat.vir
06/21/2006 02:48 AM 51,712 xixitxr.dll.vir
06/21/2006 02:58 AM 32,256 dmonwv.dll.vir
06/21/2006 02:48 AM 28,672 ikomd.exe.vir
06/20/2006 10:26 PM 23,552 tfvqnvg.exe.vir
06/21/2006 02:58 AM 53 bnlpcw.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-20 22:26:12 28,672 "C:\WINNT\system32\gbe90qs.exe"
2006-06-15 15:26:44 1,142,784 "C:\WINNT\system32\ssn6tuu.exe"
2006-06-20 22:26:12 45,056 "C:\WINNT\system32\tfthot.exe"
2006-06-15 18:39:06 131,072 "C:\WINNT\system32\mptft.exe"
2006-06-20 23:39:44 2 "C:\WINNT\system32\wtssu.exe"
2006-05-10 01:23:00 151,040 "C:\WINNT\system32\cdfview.dll"
2006-05-10 01:23:00 357,888 "C:\WINNT\system32\dxtmsft.dll"
2006-05-10 01:23:00 205,312 "C:\WINNT\system32\dxtrans.dll"
2006-05-10 01:23:00 251,392 "C:\WINNT\system32\iepeers.dll"
2006-06-01 14:47:08 163,840 "C:\WINNT\system32\jgdw400.dll"
2006-06-01 14:47:08 27,648 "C:\WINNT\system32\jgpl400.dll"
2006-05-18 01:24:26 450,560 "C:\WINNT\system32\jscript.dll"
2006-05-10 01:23:00 16,384 "C:\WINNT\system32\jsproxy.dll"
2006-05-10 01:23:02 39,424 "C:\WINNT\system32\pngfilt.dll"
2006-05-29 11:30:34 1,494,016 "C:\WINNT\system32\shdocvw.dll"
2006-05-10 01:23:02 474,112 "C:\WINNT\system32\shlwapi.dll"
2006-06-20 22:26:18 8,464 "C:\WINNT\system32\sporder.dll"
2006-05-10 01:23:04 658,432 "C:\WINNT\system32\wininet.dll"
2006-05-10 01:23:00 55,808 "C:\WINNT\system32\extmgr.dll"
2006-05-10 01:23:00 96,256 "C:\WINNT\system32\inseng.dll"
2006-05-19 11:08:32 3,052,544 "C:\WINNT\system32\mshtml.dll"
2006-05-10 01:23:02 532,480 "C:\WINNT\system32\mstime.dll"
2006-05-10 01:23:02 613,888 "C:\WINNT\system32\urlmon.dll"
2006-06-20 22:26:12 208,896 "C:\WINNT\system32\x3cqp0.dll"
2006-05-10 01:23:00 1,054,208 "C:\WINNT\system32\danim.dll"
2006-06-21 20:14:16 363 "C:\WINNT\qveot.dll"


((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\repairs303169590.dll
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Application Data\Sskdmns.dll
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Application Data\Sskknwrd.dll
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\Temporary Internet Files\Ssk.log
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\SurfSideKick 3\SskBho.dll
C:\Program Files\SurfSideKick 3\SskCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



20:39:09.91
((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Mendoza1.exe
C:\dfndra.exe
C:\bintheredunthat\dfndr.exe
C:\bintheredunthat\nwnm.exe
C:\bintheredunthat\kybrd.exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\drsmartload45a[1].exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\drsmartload[1].exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\drsmartload[2].exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\Mendoza1[1].exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\dfndra[1].exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TNBBKETZ\drsmartload46a[1].exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TNBBKETZ\drsmartload849a[1].exe
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\YF4685E9\dfndr[1].exe
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\MTE3NDI6ODoxNg.exe
C:\WINDOWS\warebundle.exe
C:\WINNT\system32\atmtd.dll._
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-21 20:21:32 42736 ( A.... ) "C:\WINNT\icont.exe"
2006-06-21 20:18:34 ( .D... ) "C:\Program Files\CCleaner"
2006-06-21 20:14:16 363 ( A.... ) "C:\WINNT\qveot.dll"
2006-06-21 03:18:52 ( .D... ) "C:\Program Files\HijackThis"
2006-06-21 02:58:54 20480 ( A.... ) "C:\stub_sca3.exe"
2006-06-21 02:58:14 362496 ( A.... ) "C:\526_620.exe"
2006-06-21 02:57:36 45056 ( A.... ) "C:\wd7gi8n.exe"
2006-06-21 02:56:06 296727 ( A.... ) "C:\services.exe"
2006-06-20 23:39:44 2 ( A.... ) "C:\WINNT\system32\wtssu.exe"
2006-06-20 23:39:42 81920 ( A.... ) "C:\WINNT\system32\ping.dll"
2006-06-20 23:39:42 ( .D... ) "C:\Program Files\į?sks"
2006-06-20 23:37:46 32768 ( A.... ) "C:\WINNT\qxvqutzm.exe"
2006-06-20 23:34:20 ( .D... ) "C:\Program Files\PartyPoker"
2006-06-20 22:29:22 110592 ( A.... ) "C:\WINNT\cfg32o.dll"
2006-06-20 22:29:22 102400 ( A.... ) "C:\WINNT\cfg32r.dll"
2006-06-20 22:29:22 45056 ( A.... ) "C:\WINNT\cfg32s.dll"
2006-06-20 22:29:20 397312 ( A.... ) "C:\WINNT\cfg32p.dll"
2006-06-20 22:28:56 ( .D... ) "C:\Program Files\ipwins"
2006-06-20 22:26:40 ( .D... ) "C:\Program Files\Common Files\qoow"
2006-06-20 22:26:18 8464 ( A.... ) "C:\WINNT\system32\sporder.dll"
2006-06-20 22:26:12 208896 ( A.... ) "C:\WINNT\system32\x3cqp0.dll"
2006-06-20 22:26:12 45056 ( A.... ) "C:\WINNT\system32tfthot.exe"
2006-06-20 22:26:12 45056 ( A.... ) "C:\WINNT\system32\tfthot.exe"
2006-06-20 22:26:12 28672 ( A.... ) "C:\WINNT\system32ftuninst.exe"
2006-06-20 22:26:12 28672 ( A.... ) "C:\WINNT\system32\gbe90qs.exe"
2006-06-20 22:26:12 28672 ( A.... ) "C:\WINNT\system32\ftuninst.exe"
2006-06-20 22:26:12 24576 ( A.... ) "C:\WINNT\system32ssec.exe"
2006-06-20 22:26:12 24576 ( A.... ) "C:\WINNT\system32\ssec.exe"
2006-06-20 22:25:42 929 ( A.... ) "C:\WINNT\system32\nt68rrtc12.sys"
2006-06-20 22:25:42 929 ( A.... ) "C:\WINNT\system32\nt68rrtc12.sys"
2006-06-20 22:24:28 ( .D... ) "C:\Program Files\?racle"
2006-06-20 22:24:20 ( .D... ) "C:\Program Files\Windows"
2006-06-20 16:27:08 170 ( A.... ) "C:\WINNT\comexec.bat"
2006-06-20 16:14:02 13824 ( A.... ) "C:\WINNT\comserv.exe"
2006-06-16 18:27:12 70656 ( ..SHR ) "C:\WINNT\relocater.exe"
2006-06-15 18:39:06 131072 ( A.... ) "C:\WINNT\system32\mptft.exe"
2006-06-15 15:26:44 1142784 ( A.... ) "C:\WINNT\system32\ssn6tuu.exe"
2006-06-15 15:26:40 24576 ( A.... ) "C:\WINNT\system32\nr1rnqm8.exe"
2006-06-14 22:01:56 403799 ( A.... ) "C:\WINNT\cmdmgr.exe"
2006-06-14 21:03:46 114174 ( A.... ) "C:\WINNT\hostsmgr.exe"
2006-06-14 20:52:14 29251 ( A.... ) "C:\WINNT\mc-110-12-0000488.exe"
2006-06-10 21:28:12 ( .D... ) "C:\Program Files\Zango"
2006-06-09 14:38:52 ( .D... ) "C:\Program Files\Windows Defender"
2006-06-08 21:19:50 5967776 ( A.... ) "C:\WINNT\system32\MRT.exe"
2006-06-07 13:55:52 3753 ( A.... ) "C:\Program Files\Common Files\kyze.html"
2006-06-01 14:47:08 163840 ( A.... ) "C:\WINNT\system32\jgdw400.dll"
2006-06-01 14:47:08 27648 ( A.... ) "C:\WINNT\system32\jgpl400.dll"
2006-05-30 19:09:20 24576 ( A.... ) "C:\WINNT\Uninstall.exe"
2006-05-29 11:30:34 1494016 ( A.... ) "C:\WINNT\system32\shdocvw.dll"
2006-05-22 16:28:18 ( .D... ) "C:\Program Files\Google"
2006-05-19 11:08:32 3052544 ( A.... ) "C:\WINNT\system32\mshtml.dll"
2006-05-18 01:24:26 450560 ( A.... ) "C:\WINNT\system32\jscript.dll"
2006-05-16 18:55:16 ( .D... ) "C:\Program Files\DIFX"
2006-05-16 18:43:04 ( .D... ) "C:\Program Files\QuickTime"
2006-05-16 18:34:56 ( .D... ) "C:\Program Files\iTunes"
2006-05-11 04:23:24 24576 ( A.... ) "C:\WINNT\system32\xpsp3res.dll"
2006-05-10 01:23:04 658432 ( A.... ) "C:\WINNT\system32\wininet.dll"
2006-05-10 01:23:02 613888 ( A.... ) "C:\WINNT\system32\urlmon.dll"
2006-05-10 01:23:02 532480 ( A.... ) "C:\WINNT\system32\mstime.dll"
2006-05-10 01:23:02 474112 ( A.... ) "C:\WINNT\system32\shlwapi.dll"
2006-05-10 01:23:02 448512 ( A.... ) "C:\WINNT\system32\mshtmled.dll"
2006-05-10 01:23:02 146432 ( A.... ) "C:\WINNT\system32\msrating.dll"
2006-05-10 01:23:02 39424 ( A.... ) "C:\WINNT\system32\pngfilt.dll"
2006-05-10 01:23:00 1054208 ( A.... ) "C:\WINNT\system32\danim.dll"
2006-05-10 01:23:00 1022976 ( A.... ) "C:\WINNT\system32\browseui.dll"
2006-05-10 01:23:00 357888 ( A.... ) "C:\WINNT\system32\dxtmsft.dll"
2006-05-10 01:23:00 251392 ( A.... ) "C:\WINNT\system32\iepeers.dll"
2006-05-10 01:23:00 205312 ( A.... ) "C:\WINNT\system32\dxtrans.dll"
2006-05-10 01:23:00 151040 ( A.... ) "C:\WINNT\system32\cdfview.dll"
2006-05-10 01:23:00 96256 ( A.... ) "C:\WINNT\system32\inseng.dll"
2006-05-10 01:23:00 55808 ( ..... ) "C:\WINNT\system32\extmgr.dll"
2006-05-10 01:23:00 16384 ( A.... ) "C:\WINNT\system32\jsproxy.dll"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINNT\system32\wmp.dll"
2006-04-22 17:22:48 60200 ( A.... ) "C:\WINNT\system32\sirenacm.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BCMSMMSG"="BCMSMMSG.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"AdobeVersionCue"="C:\\Program Files\\Adobe\\Adobe Version Cue\\ControlPanel\\VersionCueTray.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"igfxtray"="C:\\WINNT\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINNT\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINNT\\system32\\igfxpers.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"ftexc"="C:\\WINNT\\system32\\mptft.exe"
"Hhl7RfpJ"="\"C:\\WINNT\\system32\\ssn6tuu.exe\""
"!ewido"="\"C:\\Documents and Settings\\Administrator.OWNER-E7TK5G35W\\Desktop\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Xaxf"="C:\\DOCUME~1\\LOCALS~1.NTA\\APPLIC~1\\CURITY~1\\ati2evxx.exe"
"Ncao"="\"C:\\WINNT\\system32\\SKS~1\\nopdb.exe\" -vt ndrv"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Ncao"="\"C:\\PROGRA~1\\RACLE~1\\msdtc.exe\" -vt yazr"
"Xaxf"="C:\\DOCUME~1\\LOCALS~1.NTA\\APPLIC~1\\CURITY~1\\ati2evxx.exe"
"nojbe"="C:\\WINNT\\system32\\rbxidp.exe reg_run"
"qoow"="C:\\PROGRA~1\\COMMON~1\\qoow\\qoowm.exe"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Ncao"="\"C:\\PROGRA~1\\RACLE~1\\msdtc.exe\" -vt yazr"
"Xaxf"="C:\\DOCUME~1\\LOCALS~1.NTA\\APPLIC~1\\CURITY~1\\ati2evxx.exe"
"nojbe"="C:\\WINNT\\system32\\rbxidp.exe reg_run"
"qoow"="C:\\PROGRA~1\\COMMON~1\\qoow\\qoowm.exe"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\MP Scheduled Scan.job

Completion time: Wed 06/21/2006 20:39:22.48
ComboFix ver 06.06.22 - This logfile is located at C:\ComboFix.txt

#9 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 AM

Posted 22 June 2006 - 09:54 AM

Hi again :thumbsup:

You seem to have picked up a new infection. :flowers:

Please download LSP-Fix and save it to the desktop. Do not use it. You'll only use it if you cannot connect to the internet after removing New.Net.

Go to Start>Control Panel > add/remove programs and look if the following are present and remove them if present:

Viewpoint.
TClock
NewDotNet
New.Net
If New.Net or NewDotNet is not present, look if there's an uninstaller in the folder: Program Files\NewDotNet.
That uninstaller will be labeled uninstallX_XX.exe. ("X" represents the version number of the uninstaller.
If not present there too, look if it's in your C:\Windows or C:\Winnt. It will be labeled NDNuninstallX_XX.exe.
If still not present, use the following uninstaller:

http://www.new.net/support/uninstall6_90.exe

Reboot afterwards! Important!

=========================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

====================================

Run HiJackThis

Click "Open the Misc Tools Section"
Click "Open Process manager"

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following;

C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\nr1rnqm8.exe
C:\WINNT\relocater.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINNT\system32\x3cqp0.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll (file missing)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINNT\cfg32s.dll (file missing)
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINNT\system32\x3cqp0.dll
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINNT\relocater.exe (fil missing}


Close all other browsers/windows/applications/email, etc, including this one, and click on fix checked.

===================================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for
more information.

===================================

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
RpcRelocator

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you donīt find this service listed go ahead with the next steps.

===================================

Using Windows Explorer (right click on Start, click on Explore), navigate to and delete the following files and folders, if present:

C:\Program Files\AIM\Sysfiles\WxBug.EXE
C:\WINDOWS\lrdebbe.exe
C:\WINDOWS\unstall.exe (notice the spelling)
C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx
C:\WINNT\comserv.exe
C:\WINNT\qveot.dll
C:\WINNT\relocater.exe
C:\WINNT\system32\gbe90qs.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\tfthot.exe
C:\WINNT\system32\mptft.exe
C:\WINNT\system32\wtssu.exe
C:\WINNT\system32\x3cqp0.dll
C:\\WINNT\\system32\\rbxidp.exe

C:\\WINNT\\system32\\SKS~1\\nopdb.exe <=== it would have this file in it. This is not the legitimate Norton speed disk file.

Do you know anything about this program? If not please delete the folder.

C:\\PROGRAM FILES\\COMMON FILES\\qoow\\qoowm.exe"

Using Windows Explorer, navigate to the following folders and delete the contents of the folder but not the folder itself:

C:\Documents and Settings\Justin Castonguay\Local Settings\Temp
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\

===============================================

From Safe Mode Run Ccleaner

===============================================

Reboot in Normal Mode and

Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware SE is 1.06 and Spybot 1.4. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

===============================================

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a fresh HijackThis log please.
BTW, are you using a proxy server?

#10 Castonguay

Castonguay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 22 June 2006 - 06:24 PM

I ran all that you asked above, though some of the things that you told me to delete in the WINNIT folder did not appear (I had show hidden choosen as well). Are things looking any better? Should I have Windows Defender back to it'snormal options now too? Thanks so much!!

Also, I'm not sure if I am on a proxy server. Right now the computer is using comcast wireless internet, and one other computer running windows is on the network, can these viruses and problems affect the other computer because we're sharing a network?

Logfile of HijackThis v1.99.1
Scan saved at 7:22:12 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\PPPATC~1\attrib.exe
C:\Program Files\Common Files\??curity\ati2evxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.19.52.115:1350
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Xaxf] C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\CURITY~1\ati2evxx.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\PPPATC~1\attrib.exe" -vt ndrv
O4 - HKCU\..\Run: [Cwow] C:\Program Files\Common Files\??curity\ati2evxx.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram2c.vcu.edu/iNotes6W.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINNT\system32\msiexec.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINNT\relocater.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, June 22, 2006 7:19:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 22/06/2006
Kaspersky Anti-Virus database records: 202085
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 134565
Number of viruses found: 31
Number of infected objects: 140
Number of suspicious objects: 0
Duration of the scan process: 01:55:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\uninstall6_90.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\kyze.html Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi/data0004/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi/data0004 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi UPX: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi/data0004/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi/data0004 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi UPX: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\mc-110-12-0000228[1].exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\mc-110-12-0000228[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\mc-110-12-0000228[1].exe UPX: infected - 1 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\mc-110-12-0000228[1].exe PE_Patch.UPX: infected - 1 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\mc-110-12-0000488.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\mc-110-12-0000488.exe UPX: infected - 1 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\mc-110-12-0000488.exe PE_Patch.UPX: infected - 1 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\Temporary Internet Files\Content.IE5\KHUFG52R\!update-3895[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\My Documents\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\My Documents\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\My Documents\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\My Documents\BSINSTALL.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\My Documents\BSINSTALL.exe WiseSFX: infected - 4 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\My Documents\BSINSTALL.exe WiseSFX Dropper: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40001.VBN Infected: Trojan-Downloader.Win32.Agent.tv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40002.VBN Infected: Trojan-Downloader.Win32.Agent.tv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40003.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40004.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40005.VBN Infected: Trojan-Downloader.Win32.Agent.tv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40006.VBN Infected: Trojan-Downloader.Win32.Agent.tv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40007.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40008.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40009.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC4000A.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC4000B.VBN Infected: Trojan.Win32.Qhost skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC4000C.VBN Infected: Trojan.Win32.Qhost skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03340001.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03340002.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900000.VBN Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900001.VBN Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900005.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900006.VBN Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900008.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05900009.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940001.VBN Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940004.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940005.VBN Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940006.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09940007.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0001.VBN Infected: Exploit.JS.CVE-2005-1790.j skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B780000.VBN/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B780000.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B780000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B780001.VBN/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B780001.VBN NSIS: infected - 1 skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B780001.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC80000.VBN Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC80001.VBN Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000001.VBN Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000002.VBN Infected: Trojan-Downloader.Win32.VB.nw skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000003.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000004.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000005.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000006.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000007.VBN Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000008.VBN Infected: Trojan-Downloader.Win32.Small.cpu skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D000009.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D00000A.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D00000B.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D00000C.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D00000D.VBN Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D00000F.VBN Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\Justin Castonguay\My Documents\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Justin Castonguay\My Documents\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Justin Castonguay\My Documents\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Justin Castonguay\My Documents\BSINSTALL.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped
C:\Documents and Settings\Justin Castonguay\My Documents\BSINSTALL.exe WiseSFX: infected - 4 skipped
C:\Documents and Settings\Justin Castonguay\My Documents\BSINSTALL.exe WiseSFX Dropper: infected - 4 skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[1].zip/data.rar/cmdmgr.exe/hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[1].zip/data.rar/cmdmgr.exe/hostsmgr.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[1].zip/data.rar/cmdmgr.exe/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[1].zip/data.rar/cmdmgr.exe/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[1].zip/data.rar/cmdmgr.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[1].zip/data.rar/comserv.exe Infected: Trojan-Downloader.Win32.Adload.ch skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[1].zip/data.rar Infected: Trojan-Downloader.Win32.Adload.ch skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[1].zip RarSFX: infected - 7 skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[2].zip/data.rar/cmdmgr.exe/hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[2].zip/data.rar/cmdmgr.exe/hostsmgr.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[2].zip/data.rar/cmdmgr.exe/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[2].zip/data.rar/cmdmgr.exe/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[2].zip/data.rar/cmdmgr.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[2].zip/data.rar/comserv.exe Infected: Trojan-Downloader.Win32.Adload.ch skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[2].zip/data.rar Infected: Trojan-Downloader.Win32.Adload.ch skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1EPSJMNV\exec2[2].zip RarSFX: infected - 7 skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\CKM4P7UL\wallp2[1].exe Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\services.exe/data.rar/cmdmgr.exe/hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\services.exe/data.rar/cmdmgr.exe/hostsmgr.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\services.exe/data.rar/cmdmgr.exe/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\services.exe/data.rar/cmdmgr.exe/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\services.exe/data.rar/cmdmgr.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\services.exe/data.rar/comserv.exe Infected: Trojan-Downloader.Win32.Adload.ch skipped
C:\services.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.ch skipped
C:\services.exe RarSFX: infected - 7 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026100.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026101.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026102.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026103.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026104.dll Infected: not-a-virus:AdWare.Win32.Sahat.w skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026105.exe Infected: IM-Worm.Win32.Kelvir.dg skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026106.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026107.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026108.exe Infected: IM-Worm.Win32.Kelvir.dg skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026109.exe Infected: Backdoor.Win32.Aimbot.o skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026192.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0026272.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0026272.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0026272.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0026272.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0026272.exe WiseSFX: infected - 4 skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP195\A0026272.exe WiseSFX Dropper: infected - 4 skipped
C:\WINDOWS\hisistheurls.exe/data.rar/archive comment Infected: Trojan.Win32.Favadd.f skipped
C:\WINDOWS\hisistheurls.exe/data.rar Infected: Trojan.Win32.Favadd.f skipped
C:\WINDOWS\hisistheurls.exe RarSFX: infected - 2 skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LIZH3SW4\silent_setup[2].exe Infected: Trojan-Dropper.Win32.Agent.se skipped
C:\WINDOWS\SYSTEM32\dlcl.edp Infected: Net-Worm.Win32.Randon.an skipped
C:\WINNT\cmdmgr.exe/hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINNT\cmdmgr.exe/hostsmgr.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\WINNT\cmdmgr.exe/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\WINNT\cmdmgr.exe/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\WINNT\cmdmgr.exe Instyler: infected - 4 skipped
C:\WINNT\hostsmgr.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINNT\hostsmgr.exe QuickBatch: infected - 1 skipped
C:\WINNT\hostsmgr.exe PECompact: infected - 1 skipped
C:\WINNT\hostsmgr.exe PecBundle: infected - 1 skipped
C:\WINNT\hostsmgr.exe PE_Patch.PECompact: infected - 1 skipped
C:\WINNT\system32\msiexec.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped

Scan process completed.

Edited by Castonguay, 22 June 2006 - 06:27 PM.


#11 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 AM

Posted 22 June 2006 - 09:13 PM

Hi Castonquay,

You keep picking up new infections all the time. There is another new infection now. :thumbsup: I am wondering if your antivirus is up-to-date. If it has expired I suggest you uninstall it from add/remove programs in Control Panel and download the following good free antivirus immediately. Update it and then run a full system scan.

Grisoft AVG from here : http://free.grisoft.com/doc/1
Click on Get AVG Free for Windows Right Now at the bottom of the page.


Please print these instructions so that you can have access to them at all times. Please read them carefully and follow them in the order they are presented.

Please make sure that Windows Defender is disabled.

==================================

Go to Start > Control Panels > Add/Remove Programs and uninstall the following programs if listed:

Oin
OuterInfo
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin in it


Reboot and delete this folder if found:
C:\Program Files\PurityScan

If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Reboot when done and delete this folder if found:
C:\Program Files\PurityScan

==================================

Empty the Norton Quarantine. If you need to refresh your memory on how to do it, click here.

==================================

Boot into Safe Mode

==================================

Scan with HijackThis and put a checkmark agains the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.19.52.115:1350<==== This is a private IP. If you are not using this address as a proxy server, please have it fixed with HijackThis.

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\PPPATC~1\attrib.exe" -vt ndrv
O4 - HKCU\..\Run: [Cwow] C:\Program Files\Common Files\??curity\ati2evxx.exe
O20 - AppInit_DLLs: C:\WINNT\system32\msiexec.dll
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINNT\relocater.exe (file missing)


Close all other applications/browsers/windows/email, etc., except HijackThis and click on fix checked.

====================================
Using Windows Explorer, navigate to and delete the following files and folders, if present:

C:\services.exe
C:\WINDOWS\hisistheurls.exe
C:\WINDOWS\SYSTEM32\dlcl.edp
C:\WINNT\cmdmgr.exe
C:\WINNT\hostsmgr.exe
C:\WINNT\system32\msiexec.dll
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\My Documents\BSINSTALL.exe/
C:\WINNT\system32\msiexec.dll
C:\WINNT\relocater.exe

C:\PROGRAM FILES\COMMON FILES \PPPATC~1\ A folder name starting with these letters..
C:\Program Files\Common Files\??curity\ <=== The first two letters are probably Cyrillic Alphabet. HijackThis cannot read it, thus ?? Notice that it's in the programs folder whereas the normal system folder would be in Windows directrory.
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\<=== delete the contents of the folder but not the folder itself.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files<====== delete the contents of the folder but not the folder itself.

==================================

Run Ccleaner

==================================

Update Ewido and scan with it.

==================================

Scan with Kaspersky again.

==================================

Reboot.

==================================

Scan with HijackThis and save the log.

Post back the Ewido log, Kaspersky log and a fresh HijackThis log please.

Edited by amateur, 22 June 2006 - 10:03 PM.


#12 Castonguay

Castonguay
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 26 June 2006 - 10:42 PM

Neither of the O4 objects showed up in the Report, and I delete/fix the O23/relocater.exe but it shows up again and again. The C:\WINNIT\system32\msiexec.dll would not delete in safe mode because it said it was locked or in use:(

Logfile of HijackThis v1.99.1
Scan saved at 11:39:37 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\CURITY~1\ati2evxx.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://vram2c.vcu.edu/iNotes6W.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINNT\system32\msiexec.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINNT\relocater.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 26, 2006 11:35:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/06/2006
Kaspersky Anti-Virus database records: 202994
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 134053
Number of viruses found: 10
Number of infected objects: 35 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:02:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\OiUninstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\kyze.html Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi/data0004/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi/data0004 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi UPX: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[1].avi PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi/data0004/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi/data0004 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi UPX: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\DoctorWeb\Quarantine\maxidr[3].avi PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\Temp\!update.exe Object is locked skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\Temp\Perflib_Perfdata_8a8.dat Object is locked skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Local Settings\Temporary Internet Files\Content.IE5\KXYBO9YN\!update-3895[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.co skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7874ce425c15d05bcfe36731b6b29bbe_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\def950b59f00c738be36e71446726046_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40001.VBN Infected: Trojan-Downloader.Win32.Agent.tv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40002.VBN Infected: Trojan-Downloader.Win32.Agent.tv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40003.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40004.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40005.VBN Infected: Trojan-Downloader.Win32.Agent.tv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40006.VBN Infected: Trojan-Downloader.Win32.Agent.tv skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40007.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40008.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC40009.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC4000A.VBN Infected: Trojan.Win32.EliteBar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC4000B.VBN Infected: Trojan.Win32.Qhost skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC4000C.VBN Infected: Trojan.Win32.Qhost skipped
C:\Documents and Settings\All Users.WINNT\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Windows Defender\Support\WDLog-06092006-143905.log Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026100.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026101.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026102.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026103.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026105.exe Infected: IM-Worm.Win32.Kelvir.dg skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026106.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026107.exe Infected: IM-Worm.Win32.Kelvir.dd skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026108.exe Infected: IM-Worm.Win32.Kelvir.dg skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP193\A0026192.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:03:15 PM 6/26/2006

+ Scan result:



C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\ѕеcurity\ati2evxx.exe -> Adware.ClickSpring : Cleaned.
[2248] C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\CURITY~1\ati2evxx.exe -> Adware.ClickSpring : Error during cleaning.
C:\Documents and Settings\Administrator.OWNER-E7TK5G35W\Desktop\uninstall6_90.exe -> Adware.NewDotNet : Cleaned.
C:\WINNT\system32\msiexec.dll -> Adware.PurityScan : Cleaned.
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned.


::Report end

Edited by Castonguay, 26 June 2006 - 10:46 PM.


#13 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 AM

Posted 27 June 2006 - 08:19 AM

Hi Castonguay :thumbsup:

It's looking better now.

Please print these instructions for reference. Follow them in the order they are presented here.

I see that you've installed AVG. That's good, but you need to uninstall/remove Norton. We do not recommend that you have more than one anti virus product installed and running on your computer at a time. It can cause conflicts and lead to unstability and crash. Norton is buried in deep and a little difficult to remove. This link provides the necessary information on how to remove Norton from your system.

==========================================

The C:\WINNIT\system32\msiexec.dll would not delete in safe mode because it said it was locked or in use:(

The infected on is cleaned. There is also a legitimate file with that name. So, let's leave that one alone.

==========================================

Delete OiUninstaller.exe, Dr.Web from your desktop. Clear your history cache. In IE, go to Tools>Internet Options>General tab>History>Clear History.

=========================================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK

=========================================

Go to Start Menu > Control Panel and open "Add/Remove Programs". Look for and remove these software, if they are in the list:-

QuickLinks
Forethought

Then naviate to C:\Program Files\ and delete the associated folders.

QuickLinks
Forethought

If they are not present in Add/Remove Programs, go to Start>Run and type:

C:\WINNT\system32\gbe90qs.exe -esIN14ht

Press Enter


Repeat the same for:

C:\WINDOWS\system32\ftuninst.exe -u


After the removing them, reboot the PC two times.

After the second reboot, search for and delete these files, if still present:-

C:\WINNT\system32\ftuninst.exe
C:\WINNT\system32\ssec.exe
C:\WINNT\system32\tfthot.exe
C:\WINNT\system32\ftuninst.exe
C:\WINNT\system32\gbe90qs.exe
C:\WINNT\system32\jiub5f27y.hhy <= may be random
C:\WINNT\system32\mptft.exe
C:\WINNT\system32\nr1rnqm8.exe
C:\WINNT\system32\ssec.exe
C:\WINNT\system32\ssn6tuu.exe
C:\WINNT\system32\x3cqp0.dll

===================================

Disable Windows Defender and Ewido so that they will not interfere with the fixes:

Ewido:
From the system tray: Right-click the system tray icon and uncheck real time protection.
Or from within Edwido -
Under 'Your security status', if the real time protection is active.
Deactivate it by clicking 'real time protection' until the status says 'inactive'.
You may restart it when we are done.

windows defender
  • Open Windows Defender
  • Click Tools
  • Click General Settings
  • Scroll down to Real Time Protection Options
  • Uncheck Turn on Real Time Protection (recommended)
  • After you uncheck this, click on the Save button
  • Close Windows Defender
=======================================

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for
more information.

=======================================

In Safe Mode:

Go to Start>Run OR Start, Programs, Accessories, Command Prompt and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find the service.
RpcRelocator
Click once on the service to highlight it. Click Stop
Right-Click on the service. Choose Properties
Select the General tab. Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Disabled
Click the Apply tab, then click OK

========================================

Now, run HijackThis. Close all windows and browsers except HijackThis.
Go to Config > Misc tools
Click on Delete a File On Reboot
Click once on the file below to select it:
C:\WINDOWS\relocater.exe
Click on the Back button to exit Process Manager

Now, back at the main screen of HijackThis, click on Scan and put a check in front of the following

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Procedure Call (RPC) Relocator (RpcRelocator) - Unknown owner - C:\WINNT\relocater.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Close all other windows/browsers/applications, email, etc., except HijackThis, and click on Fix checked. Keep HJT open for the next step.

======================================

Click on Config> Misc Tools>Delete an NT Service
Type RpcRelocator in the space provided and click OK
The program will ask you to REBOOT --- Accept and reboot in Normal Mode.

=======================================

Run Ccleaner.

======================================

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box (starting with REGEDIT4) below into notepad(must be notepad, not wordpad), including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop.


REGEDIT4

[-HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok]

[-HKEY_CLASSES_ROOT\Fseytdc.Ariaqudok.1]

[-HKEY_CLASSES_ROOT\Fseytdc.Yvakt]

[-HKEY_CLASSES_ROOT\Fseytdc.Yvakt.1]

[-HKEY_CLASSES_ROOT\CLSID\{5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915}]

[-HKEY_CLASSES_ROOT\CLSID\{624A3CDB-8C0A-4902-8480-191582C8498E}]

[-HKEY_CLASSES_ROOT\Interface\{47F2B86D-82A1-44F5-A78B-136AC5496094}]

[-HKEY_CLASSES_ROOT\TypeLib\{90AFF1EF-C901-4991-8D61-5BEEA455E090}]


Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

Reboot your computer again.

===========================================

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan. (use Internet Explorer)
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Once finished, click see report, then click Save report.
NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry.

=======================================

Post back the Panda scan results and a fresh HijackThis log please. Let me know how the system is running now.

Edited by amateur, 28 June 2006 - 07:51 AM.


#14 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:57 AM

Posted 08 July 2006 - 02:08 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users