Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Surfsidekick


  • This topic is locked This topic is locked
12 replies to this topic

#1 Edster12

Edster12

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 08 November 2006 - 06:20 PM

I've run spybot, ad-aware, and AVG multiple times. This thing keeps coming back after every reboot. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 2:49:57 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\hoqizcvA.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\{FCC0B7C4-0AE8-1033-0423-030305090001}\Update.exe
C:\documents and settings\eddie\my documents\gmail notifier\gnotify.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eddie\Desktop\stuff\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qyuahgu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kgjg] "C:\WINDOWS\system32\rnnypbw.exe"
O4 - HKLM\..\Run: [hoqizcvA] C:\windows\hoqizcvA.exe
O4 - HKLM\..\Run: [olbjwx] C:\WINDOWS\system32\otwrwa.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [gmail] C:\documents and settings\eddie\my documents\gmail notifier\gnotify.exe
O4 - HKCU\..\Run: [music] C:\program files\creative\mediasource\ctcms.exe /organizer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kiikx] C:\windows\system32\otwrwa.exe reg_run
O4 - Global Startup: Norton Antivirus.lnk = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} (TeeChart Pro Activex control) -
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://plazacam.bu.edu/activex/AxisCamControl.cab
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RSM Client G41A - 1 (RSMClientG41A_1) - Unknown owner - C:\PPMG41A\LG41A (file missing)
O23 - Service: RSM Client G41A Starter (RSMClientStarterG41A) - Unknown owner - C:\PPMG41A\STLG41A.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 09 November 2006 - 09:39 AM

Hello,

It is important you don't miss a step and perform everything in the right order!!

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

--------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qyuahgu.exe
O2 - BHO: Jkzlbfarb Class - {754515CD-5059-4133-B6D5-3757DD84D6C0} - C:\WINDOWS\system32\s9ndzm6.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [Kgjg] "C:\WINDOWS\system32\rnnypbw.exe"
O4 - HKLM\..\Run: [hoqizcvA] C:\windows\hoqizcvA.exe
O4 - HKLM\..\Run: [olbjwx] C:\WINDOWS\system32\otwrwa.exe reg_run
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [kiikx] C:\windows\system32\otwrwa.exe reg_run
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {008BBE7E-C096-11D0-B4E3-00A0C901D681} (TeeChart Pro Activex control) -
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) -
O18 - Filter: text/html - {AE3B25B6-4C21-4038-BD35-99A05B5EF3EB} - C:\WINDOWS\system32\s9ndzm6.dll
O23 - Service: RSM Client G41A - 1 (RSMClientG41A_1) - Unknown owner - C:\PPMG41A\LG41A (file missing)
O23 - Service: RSM Client G41A Starter (RSMClientStarterG41A) - Unknown owner - C:\PPMG41A\STLG41A.EXE (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

---------------------

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
    I need the log later.
-------------------------

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from AVG Anti-Spyware.
You may need several replies to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Edster12

Edster12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 09 November 2006 - 04:21 PM

Thanks for the help miekiemoes!! I did what you said and here are the logs.

Combofix:

Eddie - 06-11-09 13:03:26.95 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Eddie\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-11-07 11:12 142 npdxo.dll.qoo
06-11-07 11:08 53 pbpcpw.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bkd.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Common Files\{3CC0B7C4-0AE8-1033-0423-030305090001}
C:\Program Files\Common Files\{FCC0B7C4-0AE8-1033-0423-030305090001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\system32\ASKS~1
C:\QooBox\Purity\WINDOWS\system32\ASKS~1\?asks


((((((((((((((((((((((((((((((( Files Created from 2006-10-09 to 2006-11-09 ))))))))))))))))))))))))))))))))))


2006-11-09 12:12 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-07 16:15 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-07 16:15 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-07 16:15 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-07 16:15 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-07 11:09 1,259 --a------ C:\WINDOWS\system32\dftcc6bf.sys
2006-11-07 11:08 767,376 -r-hs---- C:\WINDOWS\hoqizcvA.exe
2006-11-07 11:08 397,312 --a------ C:\WINDOWS\cfg32p.dll
2006-11-07 11:08 356,352 --a------ C:\162.exe
2006-11-07 11:08 323,072 --a------ C:\165.exe
2006-11-07 11:08 28,672 --a------ C:\WINDOWS\system32\histuay.exe
2006-11-07 11:08 217,276 --a------ C:\WINDOWS\srvinxmh.exe
2006-11-07 11:08 204 --a------ C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
2006-11-07 11:07 32,768 --a------ C:\WINDOWS\system32\setup9X.exe
2006-11-07 11:07 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2006-11-07 11:07 115,642 --a------ C:\WINDOWS\system32\install.exe
2006-11-07 01:41 638,976 --a------ C:\WINDOWS\system32\divx.dll
2006-11-07 01:41 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-11-07 01:41 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2006-11-07 01:41 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-11-07 01:41 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-09 13:05 -------- d-------- C:\Program Files\Common Files
2006-11-09 12:58 -------- d-------- C:\Program Files\Common Files\WhenU
2006-11-09 12:12 -------- d-------- C:\Program Files\Grisoft
2006-11-08 13:28 -------- d-------- C:\Program Files\Lavasoft
2006-11-08 13:28 -------- d-------- C:\Documents and Settings\Eddie\Application Data\Lavasoft
2006-11-08 12:16 -------- d-------- C:\Documents and Settings\Eddie\Application Data\AVG7
2006-11-08 11:53 -------- d-------- C:\Program Files\Starcraft
2006-11-08 01:14 707 --a------ C:\WINDOWS\_default.pif
2006-11-08 01:14 41984 --a------ C:\WINDOWS\Ctregrun.exe
2006-11-08 01:14 0 --a--c--- C:\WINDOWS\wintr.dll
2006-11-07 22:59 -------- d-------- C:\Program Files\AviSynth 2.5
2006-11-07 22:50 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-11-07 02:03 -------- d-------- C:\Documents and Settings\Eddie\Application Data\MoyeaFLV2Video
2006-11-07 01:45 -------- d-------- C:\Program Files\Common Files\AVSMedia
2006-11-07 01:19 -------- d-------- C:\Program Files\Replay Converter
2006-10-26 21:49 -------- d-------- C:\Program Files\FastStone Image Viewer
2006-10-20 22:47 -------- d-------- C:\Program Files\iTunes
2006-10-20 22:47 -------- d-------- C:\Program Files\iPod
2006-10-20 22:45 -------- d-------- C:\Program Files\QuickTime
2006-10-12 00:49 -------- d-------- C:\Program Files\World of Warcraft
2006-09-27 12:31 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-27 00:13 -------- d---s---- C:\Documents and Settings\Eddie\Application Data\Microsoft
2006-09-26 14:01 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-09-26 13:46 21840 --a--c-t- C:\WINDOWS\system32\SIntfNT.dll
2006-09-26 13:46 17212 --a--c-t- C:\WINDOWS\system32\SIntf32.dll
2006-09-26 13:46 12067 --a--c-t- C:\WINDOWS\system32\SIntf16.dll
2006-09-18 17:12 -------- d-------- C:\Program Files\Code-it Software
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 07:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 04:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 03:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"gmail"="C:\\documents and settings\\eddie\\my documents\\gmail notifier\\gnotify.exe"
"music"="C:\\program files\\creative\\mediasource\\ctcms.exe /organizer"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE"
"kmw_run.exe"="kmw_run.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1066868494.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Eddie.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-09 13:09:23.21
C:\ComboFix.txt ... 06-11-09 13:09

#4 Edster12

Edster12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 09 November 2006 - 04:22 PM

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 1:15:17 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\documents and settings\eddie\my documents\gmail notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Eddie\Desktop\stuff\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [gmail] C:\documents and settings\eddie\my documents\gmail notifier\gnotify.exe
O4 - HKCU\..\Run: [music] C:\program files\creative\mediasource\ctcms.exe /organizer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Norton Antivirus.lnk = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://plazacam.bu.edu/activex/AxisCamControl.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RSM Client G41A - 1 (RSMClientG41A_1) - Unknown owner - C:\PPMG41A\LG41A (file missing)
O23 - Service: RSM Client G41A Starter (RSMClientStarterG41A) - Unknown owner - C:\PPMG41A\STLG41A.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 Edster12

Edster12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 09 November 2006 - 04:24 PM

AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:58:50 PM 11/9/2006

+ Scan result:



HKLM\SOFTWARE\SecureWin -> Adware.Adlogix : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068888.exe -> Adware.Adstart : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068889.exe -> Adware.Adstart : Cleaned with backup (quarantined).
C:\WINDOWS\system32\edfve.dll -> Adware.Adstart : Cleaned with backup (quarantined).
C:\WINDOWS\system32\edfvef.exe -> Adware.Adstart : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068923.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ckdhnahk.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\cxtpls_loader.exe -> Adware.Apropos : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Cache\cxtpls_loader.exe -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos\Client -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos\Client\Cookies -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos\Client\Cookies\Data -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos\Client\Cookies\Data\net -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos\Client\Cookies\Data\net\adintelligence -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos\Client\Cookies\Data\net\adintelligence\acc.adintelligence.net/ -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos\Client\Cookies\Data\net\contextplus -> Adware.Apropos : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Apropos\Client\Cookies\Data\net\contextplus\adchannel.contextplus.net/services/AdChannelServer -> Adware.Apropos : Cleaned with backup (quarantined).
C:\WINDOWS\offun.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068891.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068892.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068893.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\stub_mm3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP767\A0069005.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP767\A0069006.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINDOWS\system32\BattyRun2.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068880.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068881.exe -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068882.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068883.DLL -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0068887.EXE -> Adware.ClearSearch : Cleaned with backup (quarantined).
C:\WINDOWS\RG9uIGFuZCBEb25uYSBXb2xmZQ\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\RG9uIGFuZCBEb25uYSBXb2xmZQ\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\{87993483-A3AD-794F-F265-DD005BD9116B} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{008A49EF-1F4A-59F9-2873-E623FDFB2AEC} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{04287934-A971-5C77-BE0B-64B36D512D6F} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{0D9EEFA5-9AEE-2FD1-4E09-2EFA3E7F8C8C} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{109212EC-3F75-38A1-64AA-DD6F914869B6} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{13174FBF-C2D3-05B9-004D-DE10AA0852D2} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{19B6C5BA-DF6C-D9DE-B148-3B4AA52F6A5D} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{1AF260D6-2E69-2980-F10F-DD2529B005B7} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{235AC682-1EA0-63EA-569B-DB01B824F50A} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{27D033EA-BD9C-D255-4074-1A53C42880AA} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{292FBB36-CE40-4601-B54E-CE5E87623DCE} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{29E7FFD8-E6A5-9FCB-ED6E-4AAE63F4CAE9} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{2D99E3D3-BC93-F791-AD58-605B6FA5AAF3} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{32B40341-3648-02F0-7D04-5B8F58EEBA63} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{34600972-BEC0-C0B6-E120-5AB9C0D60124} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{3902C1A3-92B7-7646-7DF8-79FAF022CD1F} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{3ABB6571-5627-1F6D-12EC-627B4EB1C713} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{3F288EDC-10F3-D1F7-A116-88258A23509B} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{4257FD6F-CC6E-C899-A041-064CA1A2E04A} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{46F3B906-9341-261A-174E-A449FCEEC741} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{4BEC144C-BF69-2AED-70B9-47847DC8F765} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{4CC69C86-A66C-150A-8AF4-0FE86BFA7342} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{4E5E5C38-EC35-A258-0429-779E0649FA6F} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{51B2C0C2-DF6A-09F0-BA9D-6ECF1A6BD194} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{5373BD8E-D538-FA99-9601-2DA646BB05AE} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{55EA0424-DDA9-DB28-3D99-75C0B49E15FE} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{579C9366-3B77-3148-9401-BD4A5AAEAFE9} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{64E2E72C-AD28-37FB-E144-7B6CA3AB83C4} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{68DF4301-46D8-B04E-BB31-824CAF524126} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{6A74D484-EB78-2E68-66C9-DF458D0FD00C} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{6BC89B26-3F90-063E-A9AF-B2D80F8C44B2} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{6EE72087-0DA7-7F33-C49E-EE85CE8C8F74} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{71213EAB-AAF4-E61B-98B3-D9049B7ADFEE} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{77B7DA97-BD58-F49D-785C-33F169AC9529} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{78829005-84AA-2568-B352-E2754F8D063C} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{7CB4AA09-84CD-36CD-9682-6258A2104F3D} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{800C1200-B10E-2CB9-B905-F544E4536BF6} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{83A1B149-7844-13CE-80C0-86EC13993152} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{86CB9367-12D4-E652-89AB-956913BAE9E0} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{877180E2-E50E-B6C8-70AE-236CC50DEFE9} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{87993483-A3AD-794F-F265-DD005BD9116B} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{8A487309-1D1C-9706-47E4-F3F227848453} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{8A69E279-05B8-E5C6-D906-19716EF1A6B0} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{8E97E342-2F8F-9814-A393-F31425698173} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{8EDB05B3-5843-24CB-46FB-6FA177E65713} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{8EDE058C-72DA-1A48-9FA1-88C735AA037F} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{90BABD6B-DA3D-2814-4B15-345BCAAC2F67} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{927C0C93-B6C9-2E0A-236A-282EE3A26535} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{94FBCA21-3E7A-0B62-0589-3697BABFD630} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{9B7B8469-5DD6-2CC3-6510-338DE167588F} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A1A5E364-E35E-3207-00BC-5BCD057C00C4} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A21E8708-CA3B-A16F-3208-2F68EC50E62F} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A5AC7366-36E2-7400-BED8-41EC50B36BEC} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A6B40426-CF3F-2B35-A955-E0B5DEB9EE41} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A8A6FB29-2866-4A7D-207D-66F9C07B7ABE} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{A8E0DBBC-21EA-6EB6-A240-BD1A1653D589} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{AE7F18C5-072F-8792-42A6-04FE15B4D9FC} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{B70C0938-84A7-5DA9-5BCE-7558992D9A93} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{B7BC0E45-0934-E912-E44C-E17957FA46C7} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{BB129335-868B-4EFA-0F1E-40591E407F29} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{BEF0FEBD-F78A-41EC-772B-449A98822845} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{C0F0ED5F-8D03-01D1-4011-3F4833C25EBA} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{C47E6517-9FEE-B27A-3EA8-BB572B11D25B} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{C7147AB0-8C91-1F76-0B31-9EFA0CF2310C} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{CB61DEDF-E312-A962-E41A-8D231515AAF0} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{D04E428A-707D-E0C0-D7C3-53A24CB3DBD1} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{D04FEDA4-D7C0-3150-02FF-AD27F54D4CA1} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{D45147C0-D462-2383-1F5F-CA01325DFB27} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{DA5F3BAE-6318-EE03-9D47-260E2FA367B7} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{DB58988A-7E72-E50C-B2C0-29E44B377388} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{E0ADF6C8-2E08-3DD4-C591-18C2CD9A4403} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{E869BF8E-2410-FFB0-B03A-4817FBD5E367} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{ECCE3521-78D3-E064-17BC-5AF82EF261E6} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{EE7112D3-1177-DB4C-A4E9-BFD51182AB83} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{F25C11A7-4B1F-5738-A16E-7A1B2A977B88} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{F6A5F230-D7B6-57AA-12F7-519B6ECC0B93} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{F76F15DA-CC65-B2B5-2E4D-BDA98711D1C6} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{FCC29CF2-2126-1210-E059-E37290935DCC} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{FE7B5336-0902-4B57-4547-53A2ECE5F3B9} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\Program Files\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Program Files\DeluxeCommunications\Dxc.exe -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Program Files\DeluxeCommunications\DxcBho.dll -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Program Files\DeluxeCommunications\DxcCore.dll -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7C3CF0-4B15-11D1-ABED-709549C10000} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-562591055-725345543-1004\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
C:\Program Files\Common Files\WhenU\EmbedSE.dll -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{3CC0B7C4-0AE8-1033-0423-030305090001}\888Bar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{FCC0B7C4-0AE8-1033-0423-030305090001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{FCC0B7C4-0AE8-1033-0423-030305090001}\services.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063856.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP767\A0068992.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP767\A0068999.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063863.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066890.exe -> Backdoor.Agent.bg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0062844.exe -> Backdoor.IRCBot.qc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066844.exe -> Backdoor.IRCBot.qc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066845.exe -> Backdoor.IRCBot.qc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066876.exe -> Backdoor.IRCBot.qc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066885.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0067011.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063859.exe -> Downloader.Adload.nad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063867.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0067012.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066878.ini:xvqjx -> Downloader.Agent.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066880.dll:eckyb -> Downloader.Agent.an : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063854.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0067014.exe -> Downloader.Agent.azr : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\ocgen.log.11:vvtoc -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066873.INI:dxmjb -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\CTDV10K1.CDF:ayqhn -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\CTDV10K1.CDF:uvgou -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\CTWave32.ini:tavkq -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\KB834707.log:qouzf -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\KB873339.log:vjxmj -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\ModemLog_U.S. Robotics 56K FAX EXT.txt:kvyzf -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\ODBC.INI:dxmjb -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\WMSysPrx.prx:lgrla -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\WMSysPrx.prx:msijr -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\appwt32.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\cdplayer.ini:ftzwt -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\cmsetacl.log:reaxu -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\control.ini:hjdkb -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\crle32.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\del.tmp:qlkoi -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\explorer.scf:odwlr -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\hpoins03.dat:iaxbji -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\ipkf32.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\mfcex32.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\mfcjg32.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\msll32.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\netfxocm.log:czdaj -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\nirbq.dat:cliom -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\nirbq.dat:cqvjf -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\nkprd.txt:hzomi -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\apiqg.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\crjb.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\javayd.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\tmlpcert2005:dwnip -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\tsoc.log:miucm -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\winnt.bmp:krxuj -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\»:jqwci -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\»:ppkqg -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\»:tfwzm -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066870.ini:lstak -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066870.ini:xwsgq -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066873.INI:nmtzi -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066873.INI:nrgcc -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066875.pif:oozyz -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066875.pif:qixtg -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066878.ini:zbwqdu -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066881.pif:wddev -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066884.exe -> Downloader.Agent.bq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066886.exe -> Downloader.Delf.go : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{daa873d4-958c-453c-81ca-3fe6f3676a87} -> Downloader.Fugif : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Тasks\msconfig.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066868.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063841.exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066853.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066854.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066855.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066856.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066888.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063855.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0062847.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063865.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066842.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066869.exe:qokrk -> Downloader.WinShow.ak : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066872.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066882.exe -> Dropper.Delf.z : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066883.EXE -> Dropper.SurfSide.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066871.dll -> Hijacker.Delf.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063868.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066858.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Program Files\html1.htm -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\html2.htm -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066879.exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063857.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Eddie\Cookies\eddie@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@msninvite.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@collegeboundnetwork.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@homestore.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@veterinarypetinsurance.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@viamtvcom.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Eddie\Cookies\eddie@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Eddie\Cookies\eddie@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@trafic[1].txt -> TrackingCookie.Trafic : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Wendy\Cookies\wendy@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\57546148.exe -> Trojan.Agent.rw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP754\A0062292.exe -> Trojan.Agent.rw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP716\A0054419.old -> Trojan.Ilono : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP718\A0055560.old -> Trojan.Ilono : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066874.sys -> Trojan.Kolweb.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066887.sys -> Trojan.Kolweb.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066889.exe -> Trojan.Kolweb.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063866.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP766\A0067013.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066891.exe -> Trojan.SecondThought.be : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063838.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP764\A0063839.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D89A1D28-028C-4BA5-A858-CCDF7CA403CE}\RP765\A0066877.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 09 November 2006 - 05:10 PM

Hi,

Looks like the AVG Antispywarescan was really needed, because you probably never scanned with a decent antispywarescanner before, or at least not up to date, because AVG Antispyware deleted a lot of older malware as well.

Your HijackThis log looks clean again, but we still have to delete some files manually..

Question.. Do you still have that RSM Client G41A installed? And do you still use it? If not.. perform next..

Go to start > run and copy and paste next commands in the field:

sc delete RSMClientG41A_1 Hit enter

sc delete RSMClientStarterG41A Hit enter

Then,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Browse to next files and delete them:

C:\WINDOWS\system32\dftcc6bf.sys
C:\WINDOWS\hoqizcvA.exe
C:\WINDOWS\cfg32p.dll
C:\162.exe
C:\165.exe
C:\WINDOWS\system32\histuay.exe
C:\WINDOWS\srvinxmh.exe
C:\WINDOWS\system32\jdkfjdskfjkdsjf.bat
C:\WINDOWS\wintr.dll

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Extra addition..

I notice from your log that you are running more than one different Anti-Virus programs with Auto-protect enabled. AVG and Norton
Rather than giving you extra protection, this can actually give problems because of incompatibility issues, can even cause BSODs and decrease the reliability of it seriously!
Also, it causes a serious system slowdown.

I would strongly advise you to only have one Anti-Virus with the Auto-Protect feature running at any one time!
If you decide to only keep one Anti-Virus installed,
you should uninstall the other(s) through the Add or Remove Programs option in Control Panel.

As a final checkup, perform next..

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Edster12

Edster12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 09 November 2006 - 06:30 PM

Ok I manually deleted the files you said. Uninstalled AVG anti virus and just running Norton now. Clean up the other stuff and here is the panda scan results.

Incident Status Location

Possible Virus. Not disinfected C:\Documents and Settings\Eddie\Desktop\stuff\convert\SUPER\ffmpeg.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Eddie\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mom\Cookies\mom@apmebf[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mom\Cookies\mom@atwola[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mom\Cookies\mom@go[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@adrevolver[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@anm.co[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@apmebf[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@belnk[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@bravenet[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@cgi-bin[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@dist.belnk[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@maxserving[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@realmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@searchportal.information[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Wendy\Cookies\wendy@target[2].txt
Adware:adware/portalscan Not disinfected C:\WINDOWS\bundles\adv0ltc0m.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\inf\polall1r.inf
Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat
Adware:Adware/CommAd Not disinfected C:\WINDOWS\RG9uIGFuZCBEb25uYSBXb2xmZQ\l36RK3IRtF1HvZcRsm1rvZUAtk.vbs
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\system32\f3PSSavr.scr
Adware:Adware/ActiveSearch Not disinfected C:\WINDOWS\system32\install.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\setup9X.exe
Dialer:dialer.b Not disinfected C:\WINDOWS\tmlpcert2005



I also had a quetion about 2 folders on the C drive. One is C:\bintheredunthat which has just one file sys0154478908-.exe

Also Qoobox containing npdxo.dll.qoo pbpcpw.dat.qoo and a folder named Purity which leads to C:\QooBox\Purity\WINDOWS\system32\ASKS~1\Тasks and has nothing visible in it.

I don't remember seeing these and not sure if they are supposed to be there or something I should be concerned about. Thanks again for the help.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 10 November 2006 - 01:43 AM

Hi,

I also had a quetion about 2 folders on the C drive. One is C:\bintheredunthat which has just one file sys0154478908-.exe

Also Qoobox containing npdxo.dll.qoo pbpcpw.dat.qoo and a folder named Purity which leads to C:\QooBox\Purity\WINDOWS\system32\ASKS~1\Тasks and has nothing visible in it.


C:\bintheredunthat was created by Alcanshorty, the tool you ran previously. It contains backups of suspected files. You may delete that folder.

Same goes for C:\Qoobox. That one was created by combofix. You may delete that C:\Qoobox folder as well.

Also delete next files:

C:\WINDOWS\bundles\adv0ltc0m.exe
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\RG9uIGFuZCBEb25uYSBXb2xmZQ <== folder (this is a hidden folder, so make sure your hidden files and folders are shown as I explained previously)
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\setup9X.exe
C:\WINDOWS\tmlpcert2005
C:\Documents and Settings\Eddie\Local Settings\Temporary Internet Files\Ssk.log

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now search and delete:

C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8.inf

Go to start > run and type regsvr32 occache.dll
Click OK

Panda also flags this file as a possible virus:

Possible Virus. Not disinfected C:\Documents and Settings\Eddie\Desktop\stuff\convert\SUPER\ffmpeg.exe


It's on your desktop and you have placed it there. If you know what it is and if you are certain that one is clean (since it may be a false positive from panda), leave it. In case you're not sure, it's better to delete it.

Let me know in your next reply how things are running now.

Edited by miekiemoes, 10 November 2006 - 01:44 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Edster12

Edster12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 10 November 2006 - 03:49 AM

Ok I found and deleted the files. I wasn't able to find C:\Documents and Settings\Eddie\Local Settings\Temporary Internet Files\Ssk.log but I cleared the whole folder again and it wasn't there so I'm assuming it's gone.

As far as C:\Documents and Settings\Eddie\Desktop\stuff\convert\SUPER\ffmpeg.exe I installed SUPER as a video conversion tool to make a .flv into a .wmv and I'm pretty sure its safe. But seeing as how I won't be using it much I went ahead and uninstalled the program and that file just to be sure.

Other then that computer is running great and my favorites folders have stopped disappearing. Something I forgot to mention earlier. Thank you again for your time and help!!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 10 November 2006 - 04:07 AM

Hello,

C:\Documents and Settings\Eddie\Local Settings\Temporary Internet Files\Ssk.log should be present though, but it's common that you won't find to delete it.
So, to get rid of it, perform next..

* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\Documents and Settings\Eddie\Local Settings\Temporary Internet Files\Ssk.log

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

Glad to hear everything is running OK again.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.
How to use SpywareBlaster

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Edster12

Edster12
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 10 November 2006 - 04:23 AM

Thanks for the info. I got Spywareblaster and will make sure to use anti virus and AVG anti spyware often. I didn't see any confirmation from Hijackthis or anything saying the file was deleted after the reboot though.

Edited by Edster12, 10 November 2006 - 04:25 AM.


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 10 November 2006 - 04:25 AM

Hi,

No, Hijackthis doesn't give that confirmation, but it should be gone now. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:54 AM

Posted 17 November 2006 - 02:59 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users