1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need W32.Myzor.FK@yf Help

Discussion in 'Windows - Virus and spyware problems' started by Proph3t, May 25, 2006.

  1. chook84

    chook84 Member

    Joined:
    Jun 18, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Results from the two scans...

    SmitFraudFix v2.61

    Scan done at 20:56:56.37, Tue 06/20/2006
    Run from C:\Documents and Settings\Kim\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{f85e05f5-667e-41b0-ab8a-147337a99e65}"="bloodthirst"

    [HKEY_CLASSES_ROOT\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32]
    @="C:\WINDOWS\system32\xuefh.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32]
    @="C:\WINDOWS\system32\xuefh.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    Problem while deleting C:\WINDOWS\system32\atmclk.exe
    Problem while deleting C:\WINDOWS\system32\dcomcfg.exe
    Problem while deleting C:\WINDOWS\system32\hp???.tmp
    Problem while deleting C:\WINDOWS\system32\hp????.tmp
    Problem while deleting C:\WINDOWS\system32\ld????.tmp
    C:\WINDOWS\system32\ot.ico Deleted
    Problem while deleting C:\WINDOWS\system32\regperf.exe
    C:\WINDOWS\system32\simpole.tlb Deleted
    Problem while deleting C:\WINDOWS\system32\stdole3.tlb
    C:\WINDOWS\system32\1024\ Deleted
    C:\DOCUME~1\Kim\FAVORI~1\Antivirus Test Online.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\system32\xuefh.dll -> Missing File


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{f85e05f5-667e-41b0-ab8a-147337a99e65}"="bloodthirst"

    [HKEY_CLASSES_ROOT\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32]
    @="C:\WINDOWS\system32\xuefh.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32]
    @="C:\WINDOWS\system32\xuefh.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» Reboot

    C:\WINDOWS\system32\atmclk.exe Deleted
    C:\WINDOWS\system32\dcomcfg.exe Deleted
    C:\WINDOWS\system32\hp???.tmp Deleted
    C:\WINDOWS\system32\ld????.tmp Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» End




    Logfile of HijackThis v1.99.1
    Scan saved at 9:01:25 PM, on 6/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Vet\isafe.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Vet\VetMsg.exe
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Vet\VetTray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Documents and Settings\Kim\Desktop\Hijack This\HijackThis_v1.99.1.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
     
  2. Roc2

    Roc2 Member

    Joined:
    Jun 18, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Here are my reports after scanning.

    SmitFraudFix v2.61

    Scan done at 7:07:19.00, Tue 06/20/2006
    Run from C:\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{8dc1f789-e073-4363-b40d-07376bc5ecc5}"="articulation"

    [HKEY_CLASSES_ROOT\CLSID\{8dc1f789-e073-4363-b40d-07376bc5ecc5}\InProcServer32]
    @="C:\WINDOWS\system32\hzclqhc.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{8dc1f789-e073-4363-b40d-07376bc5ecc5}\InProcServer32]
    @="C:\WINDOWS\system32\hzclqhc.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\hp???.tmp Deleted
    C:\WINDOWS\system32\simpole.tlb Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\DOCUME~1\Rosco\FAVORI~1\Antivirus Test Online.url Deleted
    C:\Program Files\SpywareQuake.com\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\system32\hzclqhc.dll -> Missing File


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End



    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 7:54:16 AM, 6/20/2006
    + Report-Checksum: 3B8617F7

    + Scan result:

    :mozilla.28:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.29:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.30:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.31:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.33:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.44:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
    :mozilla.45:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
    :mozilla.47:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.48:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.49:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.56:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    :mozilla.57:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.58:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.60:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.65:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.66:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.67:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.78:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.79:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.80:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.81:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.82:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.83:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.88:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.89:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.93:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.107:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.108:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.137:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.138:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.139:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.140:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    :mozilla.141:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.142:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.143:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.155:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    :mozilla.156:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
    :mozilla.159:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
    :mozilla.160:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
    :mozilla.162:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.164:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
    :mozilla.165:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    :mozilla.166:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    :mozilla.167:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
    :mozilla.168:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
    :mozilla.172:C:\Documents and Settings\Rosco\Application Data\Mozilla\Firefox\Profiles\l9t8lxq7.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    C:\Documents and Settings\Rosco\Cookies\rosco@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned with backup
    C:\Documents and Settings\Rosco\Cookies\rosco@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Rosco\Cookies\rosco@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Rosco\Cookies\rosco@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Rosco\Cookies\rosco@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.10:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.11:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.12:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.13:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.23:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.24:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.25:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.44:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.45:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.46:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.53:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.54:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.55:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.56:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.57:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.58:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.59:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.60:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.64:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
    :mozilla.66:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.67:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.68:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.69:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.70:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.71:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.72:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.73:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.74:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.75:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.76:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.77:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.78:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.79:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.80:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.81:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.84:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
    :mozilla.90:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
    :mozilla.91:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
    :mozilla.94:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
    :mozilla.98:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.99:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.100:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.101:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.117:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.118:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.119:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.120:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.157:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.171:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
    :mozilla.172:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
    :mozilla.174:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
    :mozilla.190:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
    :mozilla.191:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
    :mozilla.192:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
    :mozilla.194:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.195:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.196:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.197:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.198:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.203:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.204:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.243:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.247:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.254:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.255:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.256:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.270:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
    :mozilla.277:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
    :mozilla.282:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.285:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.286:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.288:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Clickagents : Cleaned with backup
    :mozilla.301:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
    :mozilla.302:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
    :mozilla.305:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
    :mozilla.306:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
    :mozilla.311:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.312:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.328:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    :mozilla.329:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.339:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Adviva : Cleaned with backup
    :mozilla.344:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
    :mozilla.351:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.352:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.353:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
    :mozilla.364:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.365:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\ix0i9e1b.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.6:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
    :mozilla.7:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
    :mozilla.8:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
    :mozilla.9:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
    :mozilla.10:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
    :mozilla.16:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.17:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.18:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.19:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.22:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.23:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.24:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.25:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.31:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.33:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.34:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.36:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.38:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.39:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.48:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.49:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.52:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    :mozilla.53:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
    :mozilla.54:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.55:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.56:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.57:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.58:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.59:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.60:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.68:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.69:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.70:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.71:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.90:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Itrack : Cleaned with backup
    :mozilla.91:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.92:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Itrack : Cleaned with backup
    :mozilla.93:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.94:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.103:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.104:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.105:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.106:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.107:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.108:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.109:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.110:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.111:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.112:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.113:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.114:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.115:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.116:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.117:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.118:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.119:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
    :mozilla.120:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
    :mozilla.123:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    :mozilla.126:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.129:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    :mozilla.131:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.132:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.157:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.158:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.164:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.165:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.166:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.167:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.180:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
    :mozilla.181:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
    :mozilla.186:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.187:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.207:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.214:E:\Backup XP 2004&5\Documents and Settings\Roc\Application Data\Mozilla\Firefox\Profiles\n3r0tg2e.Roc\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@ehg-cafepress.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@ehg-newegg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@ehg-tigerdirect.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@ehg-tigerdirect2.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    E:\Backup XP 2004&5\Documents and Settings\Roc\Cookies\roc@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
    E:\Saved Programs\Music\kazaa md.exe/cd_clint.dll -> Adware.Cydoor : Cleaned with backup
    E:\Saved Programs\Music\kazaa md.exe/cd_htm.dll -> Adware.Cydoor : Cleaned with backup
    E:\Saved Programs\R\Rbackup\ICQ\NDetect.exe -> Backdoor.IP_Protect : Cleaned with backup


    ::Report End

    Logfile of HijackThis v1.99.1
    Scan saved at 8:01:02 AM, on 6/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\HP OfficeJet Series 500\bin\ktchnsnk.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\ewido anti-malware\SecuritySuite.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
    C:\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1

    \SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN

    Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN

    Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN

    Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!

    \Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [HP OfficeJet Series 500] "C:\Program Files\HP OfficeJet Series 500\bin\ktchnsnk.exe"

    -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -

    atboottime
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft

    Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"

    AcRdB7_0_7 -reboot 1
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

    \Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program

    Files\VisualRoute\vrie.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} -

    C:\Program Files\VisualRoute\vrie.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

    missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-

    0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

    http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

    http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -

    http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

    http://download.bitdefender.com/resources/scan8/oscan8.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E754EFDE-BD03-4C0B-9432-AF0FC9959D05}: NameServer

    = 205.171.3.65,205.171.2.65
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1

    \Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1

    \Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1

    \avgemc.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32

    \brsvc01a.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-

    malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-

    malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common

    Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program

    Files\Webroot\Spy Sweeper\WRSSSDK.exe



    Looks like quite a few infections.
    I used ad-aware, spybot search and destroy, avg, housecall.trendmicro.com,Xsoftspy, spysweeper, and now your programs. Hope this does it. :) (What a pain)
     
  3. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Sorry for the delay, I've been busy :)

    @jcogswell

    You don't have a firewall on your computer. Download and install one firewall.

    These are good (free) firewalls:
    ZoneAlarm --> http://www.zonelabs.com
    Kerio--> http://www.sunbelt-software.com/Kerio.cfm
    Outpost-> http://www.agnitum.com

    Ok, you got some infections on your computer....

    Cleaning instructions:

    Move HijackThis into its own folder C:\HJT

    Download and install Ewido anti-malware -> http://www.ewido.net/en/download
    Update it, but do NOT run a scan yet. We'll use it later.

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml

    When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
    Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

    You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

    The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

    The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
    A textfile will appear after the cleaning process, copy this file and paste it to here.

    Tha log is saved to your local diskdrive, usually C:\rapport.txt.

    Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

    Scan and clean your computer with Ewido and save the report.

    Post the following logs to here:
    -> a fresh HijackThis log
    -> Ewido's log
    -> contents of C:\Rapport.txt

    --------------------------------------------------------------------------------------------------------------

    @chook84

    Ok, not clean yet.

    Remove the old version of smitfraudfix and download the latest version of SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Unzip it (folder named SmitFraudFix) to your desktop.

    Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml

    When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
    Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

    You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

    The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

    The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
    A textfile will appear after the cleaning process, copy this file and paste it to here.

    Tha log is saved to your local diskdrive, usually C:\rapport.txt.

    Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

    Pos a fresh HijackThis log to here too...

    --------------------------------------------------------------------------------------------------------------

    @Roc2

    Ok looks clean now :)

    You should update your Java (old version has all kinds of vulnerabilities)
    1. Click "Start"-> "Control panel" -> Double-click Java icon (coffee cup)
    2. Move to "Update" tab and update Java by clicking "Update Now". After that do a restart.
    3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp
    4. After updating, uninstall the old Java (if found) from Add/Remove Programs, named as
    J2SE Runtime Environment 5.0 Update 6

    Now that you're clean, here are some tips how to stay clean.

    -> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    -> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
    This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.

    -> Use CCleaner -> http://www.ccleaner.com
    Download and install CCleaner. Clean your registry and temporary files with it regularly.

    -> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
    Download and install Ad-Aware. Update it and scan your computer regularly with it.

    -> Use Ewido -> http://www.ewido.net/en
    Download and install Ewido. Update it and scan your computer regularly with it.

    -> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
    SpywareBlaster will prevent spyware from being installed to your computer.

    -> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
    This prevents your computer from connecting to harmful sites.

    -> Change your browser to Firefox -> http://www.mozilla.org
    Firefox is faster, safer and quicker browser than Internet Explorer.

    -> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
    Visit Windows Update regularly.

    -> Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.

    -> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
    So how did I get infected in the first place?

    Stay clean ;)
     
    Last edited: Jun 20, 2006
  4. jcogswell

    jcogswell Member

    Joined:
    Jun 19, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    11
    Ok followed your instructions and here are the reports you wanted:
    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 3:53:43 PM 6/20/2006

    + Scan result:



    C:\Documents and Settings\Administrator\Cookies\administrator@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.


    ::Report end

    Logfile of HijackThis v1.99.1
    Scan saved at 2:33:58 PM, on 6/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\USB Storage RW\shwicon.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Common Files\AOL\1140134680\ee\AOLSoftware.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\ehome\ehmsas.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\HJT\HijackThis_v1.99.1.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140134680\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129014117500
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129119539625
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://207.155.242.147/Remote/msrdp.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712...com/downloads/player/Install2.5/Installer.exe
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://wealthcounsel.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
    O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    SmitFraudFix v2.62

    Scan done at 14:25:11.68, Tue 06/20/2006
    Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{f85e05f5-667e-41b0-ab8a-147337a99e65}"="bloodthirst"

    [HKEY_CLASSES_ROOT\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32]
    @="C:\WINDOWS\system32\xuefh.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32]
    @="C:\WINDOWS\system32\xuefh.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\hp???.tmp Deleted
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\simpole.tlb Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\WINDOWS\system32\ts.ico Deleted
    C:\WINDOWS\system32\1024\ Deleted
    C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
    C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url Deleted
    C:\Program Files\Security Toolbar\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\system32\xuefh.dll -> Missing File


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    Am I clean now?
     
  5. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi jcogswell, you're clean now :)

    Now that you're clean, here are some tips how to stay clean.

    -> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    -> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
    This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.

    -> Use CCleaner -> http://www.ccleaner.com
    Download and install CCleaner. Clean your registry and temporary files with it regularly.

    -> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
    Download and install Ad-Aware. Update it and scan your computer regularly with it.

    -> Use Ewido -> http://www.ewido.net/en
    Download and install Ewido. Update it and scan your computer regularly with it.

    -> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
    SpywareBlaster will prevent spyware from being installed to your computer.

    -> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
    This prevents your computer from connecting to harmful sites.

    -> Change your browser to Firefox -> http://www.mozilla.org
    Firefox is faster, safer and quicker browser than Internet Explorer.

    -> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
    Visit Windows Update regularly.

    -> Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.

    -> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
    So how did I get infected in the first place?

    Stay clean ;)
     
  6. sambro

    sambro Member

    Joined:
    Jun 24, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    G'day

    I seem to have a problem with this W32.Myzor.FK@yf virus thingo too, can you help me, please


    here are the Smitfraudfix results

    SmitFraudFix v2.65

    Scan done at 23:28:04.64, Sat 24/06/2006
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\atmclk.exe FOUND !
    C:\WINDOWS\system32\dcomcfg.exe FOUND !
    C:\WINDOWS\system32\guxxa.dll FOUND !
    C:\WINDOWS\system32\hp???.tmp FOUND !
    C:\WINDOWS\system32\hp????.tmp FOUND !
    C:\WINDOWS\system32\ld????.tmp FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\regperf.exe FOUND !
    C:\WINDOWS\system32\simpole.tlb FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»»


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\SpywareQuake.com\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    and here are the HJT scan results

    Logfile of HijackThis v1.99.1
    Scan saved at 11:24:13 PM, on 24/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dcomcfg.exe
    C:\WINDOWS\system32\atmclk.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\HJT\HijackThis_v1.99.1.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C25EBBF5-6966-6CD5-7CA3-FC9692C95F88} - C:\DOCUME~1\Sam\APPLIC~1\GRIMSU~1\Surf Barb.exe
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [dentpingthatobj] C:\Documents and Settings\All Users\Application Data\Wave Rule Dent Ping\Cash Hold.exe
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7577FBA0-FC2E-4512-A088-7846BFF0B0A0}: NameServer = 203.32.82.6 203.32.82.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F32D33BA-7E2D-49A2-A963-92B379F23FF6}: NameServer = 172.16.5.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    Got this far, if you can help me from here that would be much appreciated

    Cheers
    Sambro
     
  7. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    @sambro

    Hi.

    You don't have a firewall on your computer. Download and install one firewall.

    These are good (free) firewalls:
    ZoneAlarm --> http://www.zonelabs.com
    Kerio--> http://www.sunbelt-software.com/Kerio.cfm
    Outpost-> http://www.agnitum.com

    Disable Windows firewall after the installation if it was enabled.

    Ok, you got some infections on your computer....

    Cleaning instructions:

    Download and install Ewido anti-malware -> http://www.ewido.net/en/download
    Update it, but do NOT run a scan yet. We'll use it later.

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

    O2 - BHO: (no name) - {C25EBBF5-6966-6CD5-7CA3-FC9692C95F88} - C:\DOCUME~1\Sam\APPLIC~1\GRIMSU~1\Surf Barb.exe
    O4 - HKLM\..\Run: [dentpingthatobj] C:\Documents and Settings\All Users\Application Data\Wave Rule Dent Ping\Cash Hold.exe

    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Delete these folders (if found):
    C:\DOCUME~1\Sam\APPLIC~1\GRIMSU~1
    C:\Documents and Settings\All Users\Application Data\Wave Rule Dent Ping

    When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
    Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

    You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

    The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

    The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
    A textfile will appear after the cleaning process, copy this file and paste it to here.

    Tha log is saved to your local diskdrive, usually C:\rapport.txt.

    Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

    Scan and clean your computer with Ewido and save the report.

    Clean the Recycle bin.

    Download Findlop by Metallica and save it to your desktop -> http://metallica.geekstogo.com/findlop.zip

    Extract the zip file and doubleclick the file findlop.bat, answer yes to any questions.

    Post the following logs to here:
    ->a fresh HijackThis log
    -> Ewido's log
    -> C:\findlop.txt
    -> C:\Rapport.txt
     
  8. sambro

    sambro Member

    Joined:
    Jun 24, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Thanks, here are the files you requested

    Logfile of HijackThis v1.99.1
    Scan saved at 9:20:32 PM, on 25/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HJT\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [knob owns] C:\DOCUME~1\Sam\APPLIC~1\SHIMCO~1\32 ace once.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F32D33BA-7E2D-49A2-A963-92B379F23FF6}: NameServer = 172.16.5.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    The Ewido report (its a biggy)

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 10:27:24 PM 25/06/2006

    + Scan result:



    [1732] c:\docume~1\sam\applic~1\shimco~1\boreel~1.exe -> Downloader.Swizzor.cb : Error during cleaning.
    C:\Documents and Settings\Jill\Local Settings\Temporary Internet Files\Content.IE5\QPCBKN4P\fammigodere[1].exe -> Heuristic.Win32.Dialer : Ignored.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GPIVKTEZ\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Ignored.
    C:\Documents and Settings\Gemma\Cookies\gemma@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Gemma\Cookies\gemma@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
    C:\Documents and Settings\Gemma\Cookies\gemma@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
    C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\Gemma\Cookies\gemma@lop[1].txt -> TrackingCookie.Lop : Cleaned.
    C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\Gemma\Cookies\gemma@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@ads0.revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
    C:\Documents and Settings\Gemma\Cookies\gemma@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\Gemma\Cookies\gemma@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SLUZCDAF\WinFixer2006FreeInstall[1].exe -> Trojan.Fakealert : Ignored.
    C:\Program Files\WinFixer2006FreeInstall.exe -> Trojan.Fakealert : Ignored.
    C:\Program Files\Media-Codec -> Trojan.Small : Cleaned with backup (quarantined).
    C:\Program Files\Media-Codec\uninst.exe -> Trojan.Small : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sean Paul - Chronicles (2003).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Secure FTP Factoy 5.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Secure iNet Factoy 5.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SecuritySupervisor 1.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Seeed - Music Monks.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Selteco Flash Designer 5.0.20.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sepultura - Dante XXI (2006) - promo.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Serenity DivX (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Serenity Forest Screensaver.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Serpengo 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Serv-U 5.1 Corporate.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Shadow Warrior - 3d Realms.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\ShadowGames Shooter.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Shaggy Clothes Drop (Advance).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\ShockScript Game Script with 250 games.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Shrek 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SiSoftware Sandra Professional Unicode SR2a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sim City 4 Deluxe.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Skype 2.0.0.73.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Slide Show to Go 8.3.1.63.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Slideshow Pro 9.8.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Slipknot - Mate Kill Feed Repeat.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Smart HTTP Debugger 1.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Smart Protector Internet Eraser 4.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Smart Undelete 2.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Smart Wedding 4.0.0.1057.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SmartBroker Pro 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SmartCode VNC Manager Enterprise 3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SoftCAT Plus 2.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Software PNG Icons For Webmasters.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sonic Backup my PC Deluxe 6.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sony Sound Forge 7.0b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sorority girl fusks the tutor.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sothink DHTMLMenu 6.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sound Forge 8.0b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Soundtrack Transporter 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Soundtrack Underworld 2 Evolution.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\South Park Rally.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SpamMonster 1.70.09.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SpecForce.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SpeedItUp Extreme 3.50.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Spiral Graphics Genetica Pro 2.0 Te.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Splinter Cell Chaos Theory.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Spy Cleaner Pro 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SpyRemo2.49.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SpyRemover 2.46.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SpyStopper Pro 4.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Spyware Doctor 3.2.2.453.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Spyware Doctor 3.5.0.478.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Star Defender II.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Star Wars Episode III - Revenge of the S.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Star Wars Knights of the Old Republic II.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Star Wars Knights of the Old Republic.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Stardock Windows Blind 5 Enhanced.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Startup Manager Platinum 2.04.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Steganos SAFE ProFESSIONAL 2006 8.0.9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Steinberg Cubase SX 3.1.1.944.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Steinberg MyMP3Pro 5.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Steinberg Nuendo 3.2.0.1128.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Steve Hackett - Metamorpheus (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Still Life.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Strike Ball 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Stronghold 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Stunt GP.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\StyleVision 2005 Enterprise.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sum 41 - Does This Look Infected (2002).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Super Cars Wallpapers 1920 x 1440.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Super Norton System Works 2006 AIO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Super RM to MP3 Converter 2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Super Utilities Pro 6.21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Super Utilities Professional 6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Super Video Splitter 2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SuperRam 5.8.8.2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\SuperVideoCap 4.38.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Surreal Media Templates.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Suse Linux Professional 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Sway - This Is My Demo (Promo 2006) - Hip Hop.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Syberia 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Symantec AntiVirus Corp.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Symantec AntiVirus Corporate for Win64.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Symantec Ghost Solution Suite ver. 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Symantec Norton AntiSpam 2004.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Symantec Norton Ghost 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\System Mechanic 6.0i Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\System Mechanic Professional 6.0 p.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\System Mechanic Professional 6.0F.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\System Of A Down - Hypnotize.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Systerac XP Tools 3.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Systerac XP Tools 3.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\T-NES - Serious business.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\THE BEATLES - Jamming With Heather.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Talking Time Keeper 15.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Tally 7.2 - Single User and Multi User.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Tamara.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Task List Basic 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\TechSmith SnagIt 8.0.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Template Monster 9225.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Terminator 3 War of the Machines.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Tetris Arena 1.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Bat! 3.0.1.33 Professional.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Beach.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Beatles- Acoustic Masterpieces.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The CORRS - Home (Oct 2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Chroncls Of Narnia The Lion, the.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Chronicles of Narnia.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Chronicles of Riddick.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Chumscrubber (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Da Vinci Code trailer 2006 (Drama, Mystery, Thriller).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Dark Hours (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Descent.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Exorcism of Emily Rose UNRATED.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Exorcism of Emily Rose.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Fog - 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Gladiators Of Rome.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Incredibles , Rise Of The Underminer.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Island.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Man.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Matrix Path Of Neo.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Palette Melody Composing Tool 4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Panorama Factory 4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Punisher.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The RZA Hits (1999).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Shins - Oh, Inverted World (2001).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Simpson Hit and Run.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Simpsons Seri 17 Episode 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Sims 1 (8 In One).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Sims 2 Christmas Party Pack.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Sims 2 Holiday Party Pack.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Sims 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Snow Walker.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Transporter 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The Weather Man (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The.Last.Drop.2005-TDL.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\The.New.World.SCR-maVen.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Theme Hospital (Game).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Thief - Deadly Shadows.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Throttle 6.1.16.2006.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Thumbsucker.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Tilt.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Titanic.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Tomb Raider I and II s.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Total Video Converter 2.52.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Toto - Falling In Between (2006) - Rock.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Trailer Park Tycoon.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Traktor Racer - RITUEL.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Transporter 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Trash It 1.80.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Treasure Vault 3D Screensaver.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Trendy Flash Site Builder.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Trials Mountain Heights.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Trojan Remover 6.44.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Troy.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\TuneUp Utilities 2006 5.0.2331.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\TuneUp Utilities 2006.5.0.2331.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\TurboFTP 4.60.443.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\TweakNT - Removes Windows Timebomb.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\TweakNow PowerPack 2006 Pro 1.10 Retial.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\TweakNow Powerpack 2006 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Two Weeks Notice.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\UEStudio 05.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Ulead DVD MovieFactory 4.0 TBYB.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Ulead.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Ultra DVD Creator 1.4.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Ultra MP3 To CD Burner 1.3.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Ultra MPEG To DVD Burner 1.3.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Ultra MPEG to DVD Burner 1.4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Ultra Video Converter 1.4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Ultra Video Converter 1.4.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\UltraISO 7.5.1.965 ME.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Underworld.Evolution.TS-maVen.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Universal Rapidshare Downloader 1.3.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Universal Share Downloader 1.3.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Unreal Tournament 2004.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Unreal Tournament.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\UserGate 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Usher - Confessions Special.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\V-Rally.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\V.A. - RAPStar vol. 1 (2006).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA - Big Mike - The Big Boy Game Vol.9 (2005) - Hip Hop.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA - Chill House Volume 12 (2005) - Lo-Fi.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA - Club Hits Vol.13 (2005) - Club - CD1 CD2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA - Eminem and Friends - Game Over Sessions (2005) - Hip Ho.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA - Eros (2006) - Jazz.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA - Estoy Por Ti (2005) - Pop.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA - Giga Hits Zima (2006) - Dance.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA - Madhouse 12 (2CD - 2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VA-Big Mike And Big Stress-Something F.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VB.Net to C.Sharp Converter 1.45.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VBA Password Bypasser 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VMware Workstation 5.5 Build 18007 RC.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VSO Blindwrite 5.2.21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VSO Blindwrite Suite 5.2.23.156.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Valiant.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Van Wilder.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Vcom 2006.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Vicentas SourceShield 1.0.151.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Video AVI To GIF Converter 2.0.13.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Video Converter Plus 3.01.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Video Edit Magic 4.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VideoInspector 1.8.0.94.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\ViewCompanion Pro 4.01.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VirtGuard 1.03.04.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Virtual CD 7.1.0.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VirtualDrive Pro 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VisKeeper 2.2.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Vista Start Menu v 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Vista Tranformation Pack 2 XP.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Vital Desktop Video 1.3.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VividLyrics 2.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\VueScan Pro 8.3.18.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WWW File Share Pro 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Walking with Dinosaurs.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Wallpapers Collection TOP100 Nature.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Wallpapers for Firefox Fans.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\War of the Worlds.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Warcraft AIO (4 in 1).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Warcraft II 2 Battle.net.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Warhammer 40,000 Dawn of War.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Warhammer 40.000 - Dawn of War.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Web Page Maker 2.1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Webroot Desktop Firewall 1.3.0.52.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Webroot Spy Sweeper 4.0.4.458.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Webshots Premium Wallpapers September.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Wedding Crashers.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Where the Truth Lies (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\White Bear (ero-Game).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Win Big Pro 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinASO Registry Optimizer 2.53.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinAVI DVD Copy 4.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinAVI Video Converter 7.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinDVD Platinum 7.0 B27.115.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinDVD Platinum 7.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinDVD Recorder 5 Platinum.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinFast Capture 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinGuard Pro 2006 6.0.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinMPG Video Convert 5.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinPatrol Plus 9.8.1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinProxy 6.0 R1C.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinRAR 3.51 full no serial needed all themes.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinRAR 3.51.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinRAR Crystal Special.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinTasks Pro 5.04.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinXMedia DVD MPEG AVI Audio Converter 3.1.36.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinXP Manager 4.94.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinZip 10.0.6667.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WinZip 10.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Winamp 5.1.1 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Winamp 5.112.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Winamp 5.12 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Winamp Pro 5.13.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WindowBlinds Enhanced 5.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Windows Installers.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Windows Office Mega Pack (2 DVD).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Windows Vista Codename Longhorn.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Windows Vista Transformation Pack 2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Windows Vista.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Windows XP Live Edition 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Windows XP Pro SP2 2005 Gold Reloaded.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WindowsXPE.AlexMovsesian iSO Size 87 MB.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Wolf Creek 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Wolfgang.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Womble MPEG Video Wizard 12 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\WoodWorks 0.1.1.4331.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Working Safedisc Bypasser.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\World Soccer Winning Eleven 8 International.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Worms 4 Mayhem.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Wowgirls SE2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\X-Cleaner Deluxe.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\X-Files -The.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\X2 X-Men United DvD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\XP Repair Pro 2006 ver. 3.0.20.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\XP Tools Pro 4.70.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\XPCSpy Pro 2.51.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\XPCSpy Pro 2.58.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\XPert Scale Print 2.1.3 for QuarkXPres.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\XPlite Professional 1.7.0300.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Xceed Ultimate Suite 2006 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\XnView v. 1.82 1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\XoftSpy 4.21-142.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Yess - Tales - From the Topographic Oceans.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Yess - Yessongs (live).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Z.A.R.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Zan Image Printer 4.0.9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Zathura. Kosmiczna przygoda.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Zone Alarm Internet Security Suite 61.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\ZoneAlarm Antivirus + Anti-spyware.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Zoom Player Professional 4.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\Zuma Deluxe Plus.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\eBay Auction Sniper 3.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\eDonkey2000 1.4 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Documents and Settings\Sam\Complete\podXP 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Program Files\winupdates\a.tmp -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc100.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc101.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc102.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc103.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc104.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc105.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc106.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc107.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc108.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc109.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc11.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc110.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc111.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc112.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc113.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc114.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc115.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc116.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc117.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc118.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc119.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc13.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc14.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc15.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc16.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc17.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc18.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc19.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc20.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc22.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc23.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc24.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc25.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc26.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc27.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc28.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc29.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc30.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc31.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc32.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc33.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc34.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc35.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc36.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc37.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc38.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc39.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc40.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc41.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc42.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc43.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc44.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc45.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc46.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc47.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc48.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc49.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc50.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc51.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc52.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc53.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc54.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc55.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc56.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc57.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc58.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc59.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc60.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc61.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc62.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc63.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc64.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc65.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc66.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc67.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc68.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc69.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc70.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc71.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc72.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc73.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc74.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc75.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc76.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc77.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc78.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc79.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc80.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc81.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc82.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc83.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc84.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc85.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc86.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc87.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc88.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc89.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc90.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc91.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc92.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc93.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc94.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc95.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc96.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc97.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc98.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
    C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc99.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).


    ::Report end




    The Findlop files

    [TRACE] Enumerating jobs and queues
    [TRACE] Activating job 'A85C9FBD91AB1695.job'
    [TRACE] Printing all job properties

    ApplicationName: 'c:\docume~1\sam\applic~1\shimco~1\boreelseinternet.exe'
    Parameters: ''
    WorkingDirectory: ''
    Comment: ''
    Creator: 'Sam'
    Priority: NORMAL
    MaxRunTime: 259200000 (3d 0:00:00)
    IdleWait: 10
    IdleDeadline: 60
    MostRecentRun: 00/00/0000 0:00:00
    NextRun: 06/25/2006 23:00:00
    StartError: SCHED_S_TASK_HAS_NOT_RUN
    ExitCode: 0
    Status: SCHED_S_TASK_HAS_NOT_RUN
    ScheduledWorkItem Flags:
    DeleteWhenDone = 0
    Suspend = 0
    StartOnlyIfIdle = 0
    KillOnIdleEnd = 0
    RestartOnIdleResume = 0
    DontStartIfOnBatteries = 0
    KillIfGoingOnBatteries = 0
    RunOnlyIfLoggedOn = 1
    SystemRequired = 0
    Hidden = 1
    TaskFlags: 0

    1 Trigger

    Trigger 0:
    Type: Daily
    DaysInterval: 1
    StartDate: 02/11/1995
    EndDate: 00/00/0000
    StartTime: 00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
    HasEndDate = 0
    KillAtDuration = 0
    Disabled = 0


    and finally The Rapport File

    SmitFraudFix v2.65

    Scan done at 21:06:19.84, Sun 25/06/2006
    Run from C:\1\Copy only SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\atmclk.exe Deleted
    C:\WINDOWS\system32\dcomcfg.exe Deleted
    C:\WINDOWS\system32\guxxa.dll Deleted
    C:\WINDOWS\system32\hp???.tmp Deleted
    C:\WINDOWS\system32\ld????.tmp Deleted
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\regperf.exe Deleted
    C:\WINDOWS\system32\simpole.tlb Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\WINDOWS\system32\1024\ Deleted
    C:\Program Files\SpywareQuake.com\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End


    Am i clean yet, cheers mate
     
  9. lemosc

    lemosc Member

    Joined:
    Jun 25, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Please review my logs, I have a nasty bug/trojan/spyware problem that I seem to not know how to fix. Please help!!!

    Logfile of HijackThis v1.99.1
    Scan saved at 9:05:32 AM, on 6/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    E:\Program Files\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\7d0ce104.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
    C:\WINDOWS\system32\hpoipm07.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Admin\Desktop\HijackThis_v1.99.1.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
    O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [7d0ce104.exe] C:\WINDOWS\system32\7d0ce104.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137260583292
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Here is my Rapport log:
    SmitFraudFix v2.65

    Scan done at 9:30:45.78, Sun 06/25/2006
    Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\q*_disk.dll Deleted
    C:\WINDOWS\system32\atmclk.exe Deleted
    C:\WINDOWS\system32\dcomcfg.exe Deleted
    C:\WINDOWS\system32\hp???.tmp Deleted
    C:\WINDOWS\system32\ld????.tmp Deleted
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\perfcii.ini Deleted
    C:\WINDOWS\system32\regperf.exe Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\WINDOWS\system32\1024\ Deleted
    C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
    C:\Program Files\Security Toolbar\ Deleted
    C:\Program Files\SpywareQuake.com\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    Thanks Carlos
     
  10. USCGCWO69

    USCGCWO69 Member

    Joined:
    Jun 25, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Found my computer infected with this little jewel, here is the logfile:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:08:28 AM, on 6/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\WINDOWS\system32\atmclk.exe
    C:\WINDOWS\system32\dcomcfg.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\BellSouth Internet Tools\blsloader.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
    C:\WINDOWS\MMKeybd.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\spoc42.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Magical Gatherings\Magical Gatherings.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\system32\spoc42.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\system32\devldr32.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Netropa\Traymon.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Darin Qualkenbush\Desktop\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qsdgm.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cnjjwdv.exe
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
    O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [OSS] C:\WINDOWS\SYSTEM32\ossproxy.exe -boot
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [aapsmv] C:\WINDOWS\system32\bjlcmx.exe reg_run
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O4 - HKCU\..\Run: [wwwun] C:\WINDOWS\system32\bjlcmx.exe reg_run
    O4 - HKCU\..\Run: [spoc42] C:\WINDOWS\system32\spoc42.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Ukb] C:\Documents and Settings\Darin Qualkenbush\My Documents\??sks\m?hta.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
    O4 - HKCU\..\Run: [dpnnin] C:\WINDOWS\system32\dpnnin.exe
    O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt yazb
    O4 - HKCU\..\Run: [Magical Gatherings] "C:\Program Files\Magical Gatherings\Magical Gatherings.exe" -r
    O4 - HKCU\..\RunOnce: [spoc42] C:\WINDOWS\system32\spoc42.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: sqxds.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
    O20 - AppInit_DLLs: iniwin32.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFyaW4gUXVhbGtlbmJ1c2g\command.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tsmavvc.exe (file missing)
     
  11. pinkowski

    pinkowski Guest

  12. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    @sambro

    Not clean yet....

    Cleaning instructions:

    Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
    Do NOT run yet.

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

    O4 - HKCU\..\Run: [knob owns] C:\DOCUME~1\Sam\APPLIC~1\SHIMCO~1\32 ace once.exe

    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Delete these folders (if found):
    C:\Documents and Settings\Sam\APPLIC~1\SHIMCO~1
    C:\Documents and Settings\Sam\Complete

    Run ATF Cleaner -> Check select all -> Press Empty selected

    Clean the Recycle bin and make your hidden files visible again.

    Restart your computer normally.

    Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
    Unzip it to your desktop.

    Run Killbox.exe
    -> Choose Delete on Reboot
    -> Click All Files option.

    Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

    c:\windows\tasks\A85C9FBD91AB1695.job


    Then go back to Killbox
    -> go to File
    -> choose Paste from Clipboard
    -> Click the red-white Delete File option.
    -> Click Yes to Delete on Reboot question
    -> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
    -> Restart your computer if Killbox won't do it.

    (If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)

    Run Findlop again.

    Post the following logs to here:
    -> a fresh HijackThis log
    -> Ewido's log
    -> C:\findlop.txt

    -----------------------------------------------------------------------------------------------------------------

    @lemosc

    Ok, you got some infections on your computer....

    Cleaning instructions:

    Move HijackThis into its own folder C:\HJT

    Disable Windows AntiSpyware because it may hinder the cleaning process, instructions -> http://wiki.castlecops.com/Malware_...oring_Programs#MS_AntiSpyware_.28MSAS.29_Beta

    Update your Ewido.

    Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
    Unzip it to your desktop.

    Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
    Do NOT run yet.

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

    O4 - HKLM\..\Run: [7d0ce104.exe] C:\WINDOWS\system32\7d0ce104.exe
    O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe

    Open Notepad
    -> copy the following lines into a new document:

    @echo off
    sc stop r_server
    sc delete r_server

    Save the document to your desktop as Removal.bat and filetype: All Files
    Go to your desktop and run the file Removal.bat and answer yes to any questions.

    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Run Killbox.exe
    -> Choose Delete on Reboot
    -> Click All Files option.

    Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)

    C:\WINDOWS\system32\7d0ce104.exe
    C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
    C:\WINDOWS\system32\r_server.exe


    Then go back to Killbox
    -> go to File
    -> choose Paste from Clipboard
    -> Click the red-white Delete File option.
    -> Click Yes to Delete on Reboot question
    -> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
    -> Restart your computer if Killbox won't do it.

    (If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)

    Run ATF Cleaner -> Check select all -> Press Empty selected

    When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
    Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

    You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

    The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

    The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
    A textfile will appear after the cleaning process, copy this file and paste it to here.

    Tha log is saved to your local diskdrive, usually C:\rapport.txt.

    Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

    Scan and clean your computer with Ewido and save the report.

    Post the following logs to here:
    -> a fresh HijackThis log
    -> Ewido's log
    -> C:\Rapport.txt

    -----------------------------------------------------------------------------------------------------------------

    @USCGCWO69

    Ok, you got a massive collection of infections on your computer....

    Cleaning instructions:

    Move HijackThis into its own folder C:\HJT

    Download and install Ewido anti-malware -> http://www.ewido.net/en/download
    Update it, but do NOT run a scan yet. We'll use it later.

    Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
    Do NOT run yet.

    Donwload LSPFix -> http://www.cexx.org/lspfix.htm to your desktop.
    Don't run this program yet. This program is used only if you lost your internet connection during the cleaning.

    Go to Control Panel -> Add/Remove programs -> Remove PuritySCAN By OIN, OuterInfo, OIN, New.Net, NewDotNet, WebHancer or similars if found

    If PuritySCAN By OIN, OuterInfo, OIN were not listed, download this unintaller and run it -> http://www.outerinfo.com/OiUninstaller.exe
    Instructions for the uninstaller if needed -> http://www.outerinfo.com/howto.html

    --->IF New.Net or NewDotNet ain't listed in add/or remove programs, do this<---

    1.Un-plug your internet cable.
    2.Disable your antispyware and antivirus
    3.Download NNuninstall to your desktop http://www.new.net/support/NNuninstall.exe
    4.Run NNuninstall.exe file.
    ->It asks if you want to remove New.Net
    ->Click Yes.
    ->When it is done click OK.
    ->Restart your computer
    5.Restart your antivirus
    6.Plug your internet cable back.
    7.Empty the recycle bin.

    (IF you lost your internet connection during the new.net removal, doubleclik LSPFix.exe. Check "I know what I'm doing" option.You see two panels; If something is listed in "Remove" panel on the right side, leave it there and press "Finish>>". Then restart your computer and the connection should work. If nothing is listed in "Remove" panel, DO NOTHING, close LSPFix. Go to some different machine to get help. (This is just a precaution. Usually the internet connection stays ok ;) )

    -->Then continue from here<---

    Download E2TakeOut.exe and unzip it to your desktop ->
    -> Doubleclick E2TakeOut.exe
    -> Click Begin Removal
    -> Wait for the scan to end
    -> Restart your computer
    -> A logfile should open, copy its contents to your next reply

    Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Post the contents of this textfile to here.

    (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)


    Post the following logs to here:
    -> a fresh HijackThis log
    -> SmitFraudFix log
    -> E2TakeOut log

    Then we'll continue. Note: You're NOT CLEAN yet!!
     
    Last edited: Jun 25, 2006
  13. USCGCWO69

    USCGCWO69 Member

    Joined:
    Jun 25, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Thank you for your help thusfar! Completed all requested actions; here are the logfiles:

    E2TakeOut v1.00 [http://www.malwarebytes.org]

    Removed orphaned leftovers
    AppInit key reset



    SmitFraudFix v2.65

    Scan done at 11:58:29.45, Sun 06/25/2006
    Run from C:\Documents and Settings\Darin Qualkenbush\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\drsmartload2.dat FOUND !
    C:\WINDOWS\newname.dat FOUND !
    C:\WINDOWS\teller2.chk FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\dcomcfg.exe FOUND !
    C:\WINDOWS\system32\hp???.tmp FOUND !
    C:\WINDOWS\system32\hp????.tmp FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\regperf.exe FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\users32.exe FOUND !
    C:\WINDOWS\system32\zlbw.dll FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Darin Qualkenbush\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DARINQ~1\FAVORI~1

    C:\DOCUME~1\DARINQ~1\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="C:\\WINDOWS\\system32\\ad.html"
    "SubscribedURL"=""
    "FriendlyName"=""

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"

    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"

    [HKEY_CLASSES_ROOT\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
    @="C:\WINDOWS\system32\guxxa.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
    @="C:\WINDOWS\system32\guxxa.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End


    Logfile of HijackThis v1.99.1
    Scan saved at 11:59:57 AM, on 6/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\system32\dcomcfg.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\BellSouth Internet Tools\blsloader.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\Support.com\BellSouth\hcenter.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
    C:\WINDOWS\MMKeybd.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Magical Gatherings\Magical Gatherings.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Netropa\Traymon.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Netropa\OSD.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe
    C:\Documents and Settings\Darin Qualkenbush\Desktop\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qsdgm.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cnjjwdv.exe
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
    O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [OSS] C:\WINDOWS\SYSTEM32\ossproxy.exe -boot
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [aapsmv] C:\WINDOWS\system32\bjlcmx.exe reg_run
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O4 - HKCU\..\Run: [wwwun] C:\WINDOWS\system32\bjlcmx.exe reg_run
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
    O4 - HKCU\..\Run: [dpnnin] C:\WINDOWS\system32\dpnnin.exe
    O4 - HKCU\..\Run: [Magical Gatherings] "C:\Program Files\Magical Gatherings\Magical Gatherings.exe" -r
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: sqxds.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFyaW4gUXVhbGtlbmJ1c2g\command.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tsmavvc.exe (file missing)

     
  14. lemosc

    lemosc Member

    Joined:
    Jun 25, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Thank you, that was lots of work but we may have done the job. here are the logs as requested:
    Logfile of HijackThis v1.99.1
    Scan saved at 1:09:05 PM, on 6/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    E:\Program Files\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
    C:\WINDOWS\system32\hpoipm07.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137260583292
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



    SmitFraudFix v2.65

    Scan done at 13:03:18.25, Sun 06/25/2006
    Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    The Ewido report was blank. "no infected objects found"

    I look forward to your reply!

    Carlos
     
  15. nzhuhu

    nzhuhu Guest

    Please help me !!! My home page is ok now but my Internet Download Manager always asking me download file from no where !!!

    SmitFraudFix v2.65

    Scan done at 6:04:57.15, Mon 26/06/2006
    Run from C:\Documents and Settings\Henry Nguyen\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Henry Nguyen\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HENRYN~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

    [HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32]
    @="C:\WINDOWS\g1719968.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32]
    @="C:\WINDOWS\g1719968.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End



    Thank you so much you guys !!!
     
  16. nzhuhu

    nzhuhu Guest

    Also I got some kind of Virus Alert ( advise me down load Anti Virus or something ) whenever I dont my search on Internet Explorer !!!
     
  17. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    @USCGCWO69

    Ok lets clean the rest of the infections...

    Cleaning instructions:

    Move HijackThis into its own folder C:\HJT

    Go to Control Panel -> Add/Remove programs -> Remove WebRebates4 if found

    Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
    Do NOT run yet.

    Download FixAbwiz.exe to your desktop -> http://securityresponse.symantec.com/avcenter/FixAbwiz.exe
    Do NOT use this yet!

    Download BFU.zip -> http://www.merijn.org/files/bfu.zip
    Unzip it to folder C:\BFU

    Download this removal script, rightclick, "save target as" -> http://metallica.geekstogo.com/alcanshorty.bfu
    And save it to the same folder than where BFU was installed earlier (c:\BFU).
    Do NOT use this yet!

    Download this removal script, rightclick, "save target as" -> http://downloads.subratam.org/Lon/qooFix.bat
    And save it to the same folder than where BFU was installed earlier (c:\BFU).

    Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat
    Choose option #1 (Qoolfix autofix) and follow the prompts.
    Please be patient, it will take about five minutes.

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qsdgm.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cnjjwdv.exe
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [OSS] C:\WINDOWS\SYSTEM32\ossproxy.exe -boot
    O4 - HKLM\..\Run: [aapsmv] C:\WINDOWS\system32\bjlcmx.exe reg_run
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O4 - HKCU\..\Run: [wwwun] C:\WINDOWS\system32\bjlcmx.exe reg_run
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O4 - HKCU\..\Run: [dpnnin] C:\WINDOWS\system32\dpnnin.exe
    O4 - Global Startup: sqxds.exe
    O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
    O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL

    Open Notepad
    -> copy the following lines into a new document:

    @echo off
    sc stop Windows Overlay Components
    sc delete Windows Overlay Components

    Save the document to your desktop as Removal.bat and filetype: All Files
    Go to your desktop and run the file Removal.bat and answer yes to any questions.

    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Press Start -> My Computer -> Go to folder C:\BFU

    -> Run BFU by doubleclicking BFU.exe
    -> Type or copy/paste this to the "Scriptline to execute" -field: C:\BFU\alcanshorty.bfu
    -> Click Execute and let it do its work (You should see a progressbar if you did this right)
    -> Wait for the "Complete script execution" box and click OK.
    -> Click Exit in order to quit BFU.

    Run FixAbwiz.exe and when the cleaning is done, it will open a log, save this log.

    Delete these folders (if found):
    C:\Program Files\webHancer
    C:\Program Files\WebRebates4
    C:\Program Files\PurityScan
    C:\WINDOWS\RGFyaW4gUXVhbGtlbmJ1c2g

    Delete these files (if found):
    C:\WINDOWS\system32\slk8x2peu.exe
    C:\WINDOWS\SYSTEM32\ossproxy.exe
    C:\WINDOWS\system32\irssyncd.exe
    C:\WINDOWS\system32\dpnnin.exe
    C:\WINDOWS\tsmavvc.exe

    Use the Windows "search" function
    -> Start
    -> Search
    -> All files and folders
    -> More advanced options

    Checkmark these options:
    - "Search system folders"
    - "Search hidden files and folders"
    - "Search subfolders"

    ->Search for this and delete if found: sqxds.exe

    Run ATF Cleaner -> Check select all -> Press Empty selected

    Scan and clean your computer with Ewido and save the report.

    Clean the Recycle bin.

    When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
    Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

    You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

    The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

    The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
    A textfile will appear after the cleaning process, copy this file and paste it to here.

    Tha log is saved to your local diskdrive, usually C:\rapport.txt.

    Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

    Restart your computer normally.

    Post the following logs to here:
    -> a fresh HijackThis log
    -> Ewido's log
    -> Contents of C:\Rapport.txt
    -> FixAbwiz log

    ------------------------------------------------------------------------------------------------------------------------

    @lemosc

    Ok we'll have to use a stronger tool....

    Open Notepad
    -> copy the following lines into a new document:

    @echo off
    sc stop r_server
    sc delete r_server

    Save the document to your desktop as Removal.bat and filetype: All Files
    Go to your desktop and run the file Removal.bat and answer yes to any questions.

    1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop
    2. Copy all text in quote box below to Notepad (starting from
    Files to delete:)

    Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system

    3. Now, open The Avenger
    ->"Below Script file to execute" select "Input Script Manually".
    ->Now click magnifying glass which opens a new window "View/edit script".
    -> Paste the text you earlier copied to Notepad here
    -> Click Done.
    -> Now click green light in order to start script.
    -> Click "Yes" .

    4.Avenger will do the following
    -> Reboot your computer.
    -> While booting, it will open a dos prompt, it's normal
    -> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
    -> Avenger has created a backup here -> C:\avenger\backup.zip.

    5. Copy/paste contents of avenger.txt along with a fresh HjT-log & Ewido log.

    ----------------------------------------------------------------------------------------------------------------

    @nzhuhu

    Please create a new thread to here -> http://forums.afterdawn.com/forum_view.cfm/166

    Then post your HijackThis log to there.

    INstructions for HjT posting -> http://forums.afterdawn.com/thread_view.cfm/263784
     
    Last edited: Jun 25, 2006
  18. lemosc

    lemosc Member

    Joined:
    Jun 25, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Well, I hope this does it; Again, thank you very much for all the help.

    Carlos
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\gbvqnmuw

    *******************

    Script file located at: \??\C:\Documents and Settings\bdngvthy.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:



    File C:\WINDOWS\system32\7d0ce104.exe not found!
    Deletion of file C:\WINDOWS\system32\7d0ce104.exe failed!

    Could not process line:
    C:\WINDOWS\system32\7d0ce104.exe
    Status: 0xc0000034



    File C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe not found!
    Deletion of file C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe failed!

    Could not process line:
    C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
    Status: 0xc0000034



    File C:\WINDOWS\system32\r_server.exe not found!
    Deletion of file C:\WINDOWS\system32\r_server.exe failed!

    Could not process line:
    C:\WINDOWS\system32\r_server.exe
    Status: 0xc0000034


    Completed script processing.

    *******************

    Finished! Terminate.


    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 9:04:08 PM, 6/25/2006
    + Report-Checksum: A33A32F5

    + Scan result:

    C:\Documents and Settings\Admin\Cookies\admin@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Admin\Cookies\admin@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Admin\Cookies\admin@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup


    ::Report End

    Logfile of HijackThis v1.99.1
    Scan saved at 9:06:21 PM, on 6/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    E:\Program Files\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
    C:\WINDOWS\system32\hpoipm07.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aopa.org/members/wx/?
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137260583292
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

     
  19. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    @lemosc

    Ok good, one more thing, fix the following entry with HijackThis:

    O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe

    Reboot.

    Post a fresh HijackThis log to here once more.
    If the new log is clean, the you're clean :)



     
  20. sambro

    sambro Member

    Joined:
    Jun 24, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    11
    Here we go, how is that

    Logfile of HijackThis v1.99.1
    Scan saved at 2:29:25 PM, on 26/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HJT\HijackThis_v1.99.1.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F32D33BA-7E2D-49A2-A963-92B379F23FF6}: NameServer = 172.16.5.1
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    And the EWIDO log
    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 2:50:45 PM 26/06/2006

    + Scan result:



    [1980] C:\DOCUME~1\Sam\APPLIC~1\GRIMSU~1\Surf Barb.exe -> Downloader.Swizzor.bo : Cleaned with backup (quarantined).
    C:\Documents and Settings\Jill\Local Settings\Temporary Internet Files\Content.IE5\QPCBKN4P\fammigodere[1].exe -> Heuristic.Win32.Dialer : Cleaned.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GPIVKTEZ\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned.
    C:\Documents and Settings\Sam\Cookies\sam@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\Sam\Cookies\sam@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SLUZCDAF\WinFixer2006FreeInstall[1].exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
    C:\Program Files\WinFixer2006FreeInstall.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).


    ::Report end



    as well as the findlop text (this is all that came up)

    [TRACE] Enumerating jobs and queues



    Cheers
    sambro
     

Share This Page