TheTechGuide Forum

General Category => Tech Clinic => Topic started by: boogieonrw on February 07, 2005, 05:11:44 PM

Title: SOS!
Post by: boogieonrw on February 07, 2005, 05:11:44 PM: i'm pretty much overrun with a virus on one of my computers...it has 100% of the virtual memory being used
there are all these instinces of svchost running
a bunch of weird other programs, that if i let it keep going goes up to as many as 63 or so processes at a time

spybot keeps finding stuff that it fixes, but it does so every time it opens...somethings definitely wrong...

does anyone have any suggestions?

i have a bunch of icons that i didn't put on my desktop- most of which are about spyware and virus'
its totally trying to get me to buy their antivirus...
anyway..does anyone knwo what i have, or how i can rid it?

i'll post an up to date HJT in a moment
Title: SOS!
Post by: boogieonrw on February 07, 2005, 05:29:25 PM: Logfile of HijackThis v1.99.0
Scan saved at 5:29:04 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bettersearch.biz/free-discount.htm (http://\"http://www.bettersearch.biz/free-discount.htm\")
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {A3AC2034-C8B8-E8EA-550B-B4A3591F15B7} - C:\WINDOWS\system32\msni32.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKLM\..\Run: [s39U3qV] psadsk.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtcd32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [appvg32.exe] C:\WINDOWS\appvg32.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\TEMP\Application Data\eetu.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab (http://\"http://searchmiracle.com/cab/1.cab\")
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab (http://\"http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107534934375 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107534934375\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab (http://\"http://www.bitdefender.com/scan/Msie/bitdefender.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=4583 (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4583\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab (http://\"http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB (http://\"http://www.zuvio.com/UCSearch.CAB\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\appvg32.exe
Title: SOS!
Post by: guestolo on February 07, 2005, 05:34:31 PM: You have a few different infections

But we should be able to clear all of it

Let's try and tackle your first infections

Could you Download ServiceFilter.zip (http://\"http://www.bleepingcomputer.com/files/windows/ServiceFilter.zip\")
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Please don't restart your computer again after supplying the Post_This.txt
Title: SOS!
Post by: boogieonrw on February 07, 2005, 06:25:45 PM: excellent.

i downloaded mozilla firefox, and it helps a lot. none of the pop ups are comin up. but it's still, definitely, muffed up

here it is

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 7, 2005 5:44:10 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: fyyylohj5
Display Name: fyyylohj5
Start Mode: Unknown
Start Name:
Description: ...
Service Type: Unknown
Path:
State: Running
Process ID: 1412
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: NOD32krn
Display Name: NOD32 Kernel Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\eset\nod32krn.exe
State: Running
Process ID: 1548
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{4af1c4a9-7593-4159-a089-20000a4dfd3b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: %AFå¤¶À¨
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\appvg32.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 82 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 1.515625 seconds.
Title: SOS!
Post by: guestolo on February 07, 2005, 06:38:01 PM: Hold tough for a few minutes,

I take it the last log was either in safe mode or after you End process on a lot of
things running in the background
In your next log can you try and Start in Normal and don't end process on anything
Thanks......

But let me try some fixes first and let's see how you look later

I'm uploading a few attachments at the bottom of this reply
Can you Download them all to your desktop and then UNZIP them all to your desktop

By the way, I wouldn't be without Firefox /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Ill post back with some cleaning procedures in a few minutes

[attachment=10:attachment][attachment=11:attachment][attachment=12:attachment]
Title: SOS!
Post by: boogieonrw on February 07, 2005, 06:44:07 PM: the downloads are timing out. i'll be back once i restart the computer and i'll post the log

it may be a while...it's kind of hard to run the computer with all 63 or so processes running...wish me luck!

thank you so much
jordan
Title: SOS!
Post by: boogieonrw on February 07, 2005, 06:47:07 PM: okay i got them downloaded...restarting now
Title: SOS!
Post by: guestolo on February 07, 2005, 06:52:50 PM: Does your notepad work?
Go to START>>Run>>type in notepad
and hit Enter

If you can't download those attachments let me know

Are you able to do this
Create a New folder on your Desktop, call it AboutBuster
Download to desktop ABOUT:BUSTER.zip (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

EDIT>>>I just seen your above post
So I assume you can download the above in Safe mode
If not, are you capable of receiving attachments in your email??

STAY in Normal mode and post the log or RESTART in SAFE MODE with Networking
But try not to restart again until after I see the log
Title: SOS!
Post by: boogieonrw on February 07, 2005, 07:12:34 PM: as of now, i can't get anything to work on that computer...it starts up, loads a few things...and then says "cannot find wnim.dll" or something like this...

and then everything seems A. Okay...but then i go to the web, or go to my computer...or really try to open anything- even pressing control alt delete

and it just endlessly thinks

this wouldn't have to do with those registry files i downloaded, would it? cuz it was working before i got them...anyway, i'm gonna let it cool down and i'll get back to work...haven't restarted in safe mode yet...but that's the next step...i'm gonna give it a half hour first..perhaps it will remember what it's thinking about...cuz it's hour glassing as of now...maybe it will figure it out.
Title: SOS!
Post by: guestolo on February 07, 2005, 07:15:50 PM: Downloading those and unzipping them to the desktop will do no harm at all
Did you merge them already?

I just needed you to download them for now

Don't do anything else without instructions

We can work off your first log if you can't post anything else

Slow down and don't get ahead of yourself on this.......... /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />
Title: SOS!
Post by: boogieonrw on February 07, 2005, 07:28:36 PM: i did open the files that unzipped...is that horrible?

upon restarting... it didn't seem like windows messenger would ever really establish itself (BTW windows messenger isn't something i ever had set up, and when i first contracted this virus, it openend...and a few peoples email addresses that i know had messaged me... so i think maybe this virus is using the program to send out information)

so i colsed it down...if u need me to wait thru it's opening (which was the cause, so it seems- of my long delayed startup) i will try to do so, let me know

here's the post. this with everything running

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 7, 2005 7:25:09 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: fyyylohj5
Display Name: fyyylohj5
Start Mode: Unknown
Start Name:
Description: ...
Service Type: Unknown
Path:
State: Running
Process ID: 1832
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: NOD32krn
Display Name: NOD32 Kernel Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\eset\nod32krn.exe
State: Running
Process ID: 356
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{4af1c4a9-7593-4159-a089-20000a4dfd3b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: %AFå¤¶À¨
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: "c:\windows\appvg32.exe" /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 82 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 78.29688 seconds.
Title: SOS!
Post by: guestolo on February 07, 2005, 07:34:44 PM: I assume now your in safe mode
Were you able to download about:buster? Were you able to check for updates and download them?
Are you able to download on the machine right now?

Post another Hijackthis log and try not too restart again!!!!!!!

That log you just showed me is another log from Servicefilter
I don't need to see that right now

I need to see a fresh hijackthis log, were you able to manage to do that in Normal Mode?

Sorry for any confusion, I should of said a fresh hijackthis log
Title: SOS!
Post by: boogieonrw on February 07, 2005, 07:39:02 PM: i'm in normal mode now...i downloaded and updated the program you mentioned...and here's a log from hijackthis

with everything (minus windows messenger) running

Logfile of HijackThis v1.99.0
Scan saved at 7:38:37 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\soft.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\tibs5.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\WINDOWS\System32\psadsk.exe
C:\WINDOWS\crne32.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\offuk.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\appvg32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=73SRG31&cid=7685&appurl=http://us.mcafee.com/apps/AppCommon/updreg.asp?app=http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-01&installtype=force&dtag=73SRG31&lpname=vsotrial90&langid=1&systempopup=true\") (obfuscated)
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {A3AC2034-C8B8-E8EA-550B-B4A3591F15B7} - C:\WINDOWS\system32\msni32.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKLM\..\Run: [s39U3qV] psadsk.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtcd32.exe
O4 - HKLM\..\RunOnce: [appvg32.exe] C:\WINDOWS\appvg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKCU\..\Run: [d0q8RkZ5R] offuk.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab (http://\"http://searchmiracle.com/cab/1.cab\")
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab (http://\"http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107534934375 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107534934375\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab (http://\"http://www.bitdefender.com/scan/Msie/bitdefender.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=4583 (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4583\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab (http://\"http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB (http://\"http://www.zuvio.com/UCSearch.CAB\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\appvg32.exe
Title: SOS!
Post by: guestolo on February 07, 2005, 07:45:08 PM: Good work, let me know if you are able to download this tool also

Download and UNZIP to a folder Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")
We'll need this later

Then we'll try some fixes, if you have to Restart in safe mode to download it, do so
But stay in safe mode

Don't restart back into Normal mode again until prompted

I seen you had Windows CleanUp! installed, we'll need that later too since you have it

So Let me know if you can download that tool and get ready to restart into safe mode

Do so now if you have too
Title: SOS!
Post by: boogieonrw. on February 07, 2005, 08:38:26 PM: i am now in safe mode
Title: SOS!
Post by: boogieonrw on February 07, 2005, 09:02:06 PM: i'll leave that computer on in safe mode just awaiting your response. thanks a lot you are a godsend

how did u learn so much about all this stuff, anyways?
Title: SOS!
Post by: guestolo on February 07, 2005, 09:26:38 PM: You definitely have some cleaning to do
Follow these instructions closely

I have no idea if you were able to download Hoster or not?

But for now

Stay in safe mode
Print this out or Save it to a Notepad file on the Desktop

Disconnect from the Internet

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

===Next: Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service (NSS) <--careful, there are others that looks similiar, your after this one

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic

Do the same for this Service name if found
fyyylohj5

===Stay in safe mode and navigate to these files or folders and delete them if they exist
c:\windows\system32\tvshdg.exe <--this file
C:\WINDOWS\system32\n20050308.exe
C:\WINDOWS\System32\soft.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\System32\psadsk.exe
C:\WINDOWS\crne32.exe
C:\WINDOWS\System32\offuk.exe
C:\WINDOWS\System32\msxmidi.exe
C:\WINDOWS\appvg32.exe
C:\windows\system32\kalvtcd32.exe
C:\WINDOWS\SYSTEM\wnim.dll
C:\WINDOWS\system32\msni32.dll
C:\WINDOWS\ZServ.dll

C:\WINDOWS\isrvs <--this folder
C:\Program Files\ISTsvc <--folder

===In safe mode
Do another Scan with Hijackthis and put a check next to these entries

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {A3AC2034-C8B8-E8EA-550B-B4A3591F15B7} - C:\WINDOWS\system32\msni32.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\E.tmp.exe 1 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKLM\..\Run: [s39U3qV] psadsk.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [crne32.exe] C:\WINDOWS\crne32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\jordan\LOCALS~1\Temp\6.tmp.exe 2 10001

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtcd32.exe
O4 - HKLM\..\RunOnce: [appvg32.exe] C:\WINDOWS\appvg32.exe

O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKCU\..\Run: [d0q8RkZ5R] offuk.exe

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab (http://\"http://searchmiracle.com/cab/1.cab\")

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=4583 (http://\"http://www.mt-download.com/MediaTicketsIns....cab?refid=4583\")
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB (http://\"http://www.zuvio.com/UCSearch.CAB\")

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\appvg32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Again, in safe mode
===Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

===Double click on cwsserviceremove.reg you unzipped to desktop earlier
and Allow it to merge to the Registry

===Double click on searchmiracle.reg again-- allow to merge

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

===Open HOSTER and click on "RESTORE ORIGINAL HOSTS"

===Open up Windows CleanUp! and click the CleanUp button
When it's done

RESTART back to Normal mode
Run About:Buster again and save the log

Do another scan with Hijackthis and post a log
Also post the About:Buster logs

We will still have some cleaning to do, but do the above first, all if possible, or as much as you can and then post the new logs
Please read it over carefully

After you have posted the logs, try not to Restart again
Title: SOS!
Post by: boogieonrw on February 08, 2005, 12:53:20 AM: something odd i just realized- it is logging me into windows messenger without me typing in password, or ever even setting up the program...so i guess it stole my password from .NET (i use Email Removed)

so now i guess i have to change all my passwords, no biggie

anyway, also - symptoms- just so u know what we're dealing with...we have like, 5 new links on my desktop...spyware avenger, virus hunter security, popupblocker stops popups, evidence eraser, and your platinum visa card.... they all come up when i start up... i have this search bar above the date in the bottom right... there is NO memory, everythings damn slow, popups galore including java script ones that try to get me to click okay...
i found a program called ddddd.exe or something on my harddrive that had a pornographic icon, and it was in use and couldn't be deleted even in safe mode...

Do i need to get those cws and the other program again from you, because my computer lost them (unbelievable to me too- but the time i downloaded them it could not find my user profile, and it gave me a default desktop ....and now when i search my computer for them, it says they don't exist.)

so here's the diagnostic stuff. i am running nromal mode now

Okay, here we go-

Scanned at: 10:09:59 PM on: 2/7/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\aeqxg.dll
Removed! : C:\WINDOWS\awtkw.dll
Removed! : C:\WINDOWS\cinkm.dll
Removed! : C:\WINDOWS\jydcf.dll
Removed! : C:\WINDOWS\ktekt.dll
Removed! : C:\WINDOWS\mogvb.dll
Removed! : C:\WINDOWS\mqjum.dll
Removed! : C:\WINDOWS\oajrh.dll
Removed! : C:\WINDOWS\oaxst.dll
Removed! : C:\WINDOWS\ofmef.dll
Removed! : C:\WINDOWS\rdiaf.dll
Removed! : C:\WINDOWS\sancr.dll
Removed! : C:\WINDOWS\tgtws.dll
Removed! : C:\WINDOWS\umora.dll
Removed! : C:\WINDOWS\vlkbd.dll
Removed! : C:\WINDOWS\wugzt.dll
Removed! : C:\WINDOWS\xqyhu.dll
Removed! : C:\WINDOWS\xtcfr.dll
Removed! : C:\WINDOWS\zhrpv.dll
Removed! : C:\WINDOWS\zkczj.dll
Removed! : C:\WINDOWS\znjom.dll
Removed! : C:\WINDOWS\System32\bukpc.dll
Removed! : C:\WINDOWS\System32\fnnhk.dat
Removed! : C:\WINDOWS\System32\itwnd.dll
Removed! : C:\WINDOWS\System32\jbfjt.dll
Removed! : C:\WINDOWS\System32\lqsad.dll
Removed! : C:\WINDOWS\System32\ojfsq.dll
Removed! : C:\WINDOWS\System32\owkrz.dll
Removed! : C:\WINDOWS\System32\pncfj.dll
Removed! : C:\WINDOWS\System32\qirdo.dll
Removed! : C:\WINDOWS\System32\qksza.dll
Removed! : C:\WINDOWS\System32\qpzhb.dll
Removed! : C:\WINDOWS\System32\qwjvr.dll
Removed! : C:\WINDOWS\System32\rntkk.dll
Removed! : C:\WINDOWS\System32\tvhqe.dll
Removed! : C:\WINDOWS\System32\vjbfj.dat
Removed! : C:\WINDOWS\System32\vpkqb.dll
Removed! : C:\WINDOWS\System32\vqpzh.dat
Removed! : C:\WINDOWS\System32\wzbft.dll
Removed! : C:\WINDOWS\System32\xwzbf.dat
Removed! : C:\WINDOWS\System32\yofme.dat
Removed! : C:\WINDOWS\System32\ypefs.dll
Removed! : C:\WINDOWS\System32\ysntc.dll
Removed! : C:\WINDOWS\System32\zomyp.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 12:45:01 AM on: 2/8/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 12:46:01 AM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\qbrurzrw5.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\jordan\Application Data\eetu.exe
C:\WINDOWS\System32\m?iexec.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\windows\system32\packager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\jordan\Desktop\AboutBuster\AboutBuster\AboutBuster.exe
C:\Documents and Settings\jordan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=73SRG31&cid=7685&appurl=http://us.mcafee.com/apps/AppCommon/updreg.asp?app=http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-01&installtype=force&dtag=73SRG31&lpname=vsotrial90&langid=1&systempopup=true\") (obfuscated)
F1 - win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - C:\WINDOWS\System32\gmapuiud.dll
O2 - BHO: (no name) - {F88F8875-03DC-4821-9D1E-193A135D0CF2} - C:\WINDOWS\System32\qlc.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKCU\..\Run: [d0q8RkZ5R] offuk.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\jordan\Application Data\eetu.exe
O4 - HKCU\..\Run: [Vlzxmfa] C:\WINDOWS\System32\m?iexec.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab (http://\"http://searchmiracle.com/cab/1.cab\")
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab (http://\"http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107534934375 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107534934375\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab (http://\"http://www.bitdefender.com/scan/Msie/bitdefender.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=4583 (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4583\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab (http://\"http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
Title: SOS!
Post by: guestolo on February 08, 2005, 02:18:00 AM: I won't be able to see your log until tomorrow
You also ran a scan with Hijackthis 1.97.7

I need to see a log from Hijackthis 1.99
Delete the one on the desktop
Only use the one from C:\HJT

I'll upload the required files again>>>UNZIP them all to desktop

Download and Install
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

After Installation ensure your Active X settings are set like this
In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

Look in your C:\Windows\system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder, it's a needed file

Also save to desktop CWShredder.exe (http://\"http://cwshredder.net/bin/CWShredder.exe\")
Don't run it yet

Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When you Install Ad-Aware it may Update and start running a scan
Allow to update, don't run a scan yet

Stay in normal mode
Open Hijackthis 1.99
Open Misc tools section
Open Process Manager
Kill these processes if still running
C:\WINDOWS\System32\qbrurzrw5.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\Documents and Settings\jordan\Application Data\eetu.exe
C:\WINDOWS\System32\m?iexec.exe

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xqyhu.dll/sp.html#12345

F1 - win.ini: run=C:\WINDOWS\System32\soft.exe

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - C:\WINDOWS\System32\gmapuiud.dll
O2 - BHO: (no name) - {F88F8875-03DC-4821-9D1E-193A135D0CF2} - C:\WINDOWS\System32\qlc.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe

O4 - HKCU\..\Run: [d0q8RkZ5R] offuk.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\jordan\Application Data\eetu.exe
O4 - HKCU\..\Run: [Vlzxmfa] C:\WINDOWS\System32\m?iexec.exe

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab (http://\"http://searchmiracle.com/cab/1.cab\")

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=4583 (http://\"http://www.mt-download.com/MediaTicketsIns....cab?refid=4583\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Open CWShredder and click ONLY the FIX button
Let it fix all problems

RESTART into Safe mode

Access your add/remove programs and remove if found
iSearch Toolbar

Stay in safe mode and delete if found
C:\WINDOWS\System32\soft.exe <--this file
C:\WINDOWS\System32\gmapuiud.dll
C:\WINDOWS\System32\qlc.dll
c:\windows\system32\tvshdg.exe
C:\Documents and Settings\jordan\Application Data\eetu.exe
C:\WINDOWS\ZServ.dll
Do a search for the next 2
ZServ.inf
zserv.cab

C:\WINDOWS\isrvs <--this folder

Stay in Safe mode

Open about:Buster and run scan's again, saving the logs

RIGHT CLICK on Deldomains.inf and choose Install

Merge the other 2 to you downloaded and unzipped to your desktop
cwsserviceremove.reg
searchmiracle.reg

Open HOSTER and Restore Original Hosts

Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process

To see what else needs cleaning
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back a fresh hijackthis log afterwards too

We'll still have some more cleaning but I need to see an updated hijackthis log from version 1.99

[attachment=14:attachment][attachment=15:attachment][attachment=16:attachment]
Title: SOS!
Post by: boogieonrw on February 08, 2005, 11:59:11 AM: File C:\WINDOWS\System32\qbrurzrw5.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Explorer.EXE infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WinTitle.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Explorer.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\qbrurzrw5.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iconu.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msxmidi.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dddd.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eliteztm32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nndptyl.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\DrTemp\thnall1b.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\IH1DC.tmp infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\suicidetb.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI311E.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI52C2.tmp\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI52C2.tmp\polall1b.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI5713.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\Temp\THI6432.tmp\ZServ.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\014D63SJ\mtrslib2[1].js infected by "Trojan-Downloader.JS.Small.ag" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\silent_install[1].exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\CDWXYTCP\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\CDWXYTCP\sideb[1].exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\CDWXYTCP\silent[1].exe infected by "Trojan-Downloader.Win32.Small.sg" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\CDWXYTCP\thnall1b[1].exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

i'll post the hijackthis in a few
Title: SOS!
Post by: boogieonrw on February 08, 2005, 12:08:18 PM: there's a program called dddd.exe that appears under whichever user i log onto's files (c:\documents and settings\jordan for instance) as well as a bunch of buddy programs.... i was able to delete them this time, upon signing on, but that's not usual

and it takes a real real long time to log on, (from the old Fish in AOL i remember this to be caused by the computer sending emails with my password....is this similar?)

Logfile of HijackThis v1.99.0
Scan saved at 12:00:48 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\qbrurzrw5.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=73SRG31&cid=7685&appurl=http://us.mcafee.com/apps/AppCommon/updreg.asp?app=http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-01&installtype=force&dtag=73SRG31&lpname=vsotrial90&langid=1&systempopup=true\") (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS\System32\WinTitle.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab (http://\"http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107534934375 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107534934375\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab (http://\"http://www.bitdefender.com/scan/Msie/bitdefender.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab (http://\"http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ixsnjearqzbj - Unknown - C:\WINDOWS\System32\qbrurzrw5.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
Title: SOS!
Post by: guestolo on February 08, 2005, 12:17:07 PM: Download and save to desktop VX2Finder.exe (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Double click to open it
Click the
"Click to Find VX2.BetterInternet"
Wait for the scan to finish>>This won't take long
"Make a Log"

Post it back here
Title: SOS!
Post by: boogieonrw on February 08, 2005, 12:21:14 PM: Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---

Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown

User Agent String---
{D2AD9633-36F1-4338-AA11-469CA091B890}
Title: SOS!
Post by: guestolo on February 08, 2005, 12:22:51 PM: Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
http://www.downloads.subratam.org/l2mfix.exe (http://\"http://www.downloads.subratam.org/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Do not Reboot your computer either
Title: SOS!
Post by: boogieonrw on February 08, 2005, 12:43:13 PM: i believe the computer is frozen...is there some super sneaky trick i could use to unfreeze it...it's been close to 20 minutes
Title: SOS!
Post by: boogieonrw on February 08, 2005, 12:44:25 PM: the mouse does still move, but i can't click on anything
Title: SOS!
Post by: guestolo on February 08, 2005, 12:45:06 PM: Can you Ctrl+Alt+Del
and end task or process on this "qbrurzrw5.exe"

If not you will have to Restart it and post a fresh hijackthis log

Don't do nothing else after but post the log
Title: SOS!
Post by: boogieonrw on February 08, 2005, 01:05:28 PM: Logfile of HijackThis v1.99.0
Scan saved at 1:02:49 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\qbrurzrw5.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=73SRG31&cid=7685&appurl=http://us.mcafee.com/apps/AppCommon/updreg.asp?app=http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-01&installtype=force&dtag=73SRG31&lpname=vsotrial90&langid=1&systempopup=true\") (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS\System32\WinTitle.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab (http://\"http://www.musicnotes.com/download/mnviewer.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab (http://\"http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107534934375 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107534934375\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab (http://\"http://www.bitdefender.com/scan/Msie/bitdefender.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab (http://\"http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ixsnjearqzbj - Unknown - C:\WINDOWS\System32\qbrurzrw5.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
Title: SOS!
Post by: boogieonrw on February 08, 2005, 01:58:30 PM: hey...my computer froze again...so i'm reposting a new file here...in one second.
Title: SOS!
Post by: boogieonrw on February 08, 2005, 02:06:45 PM: or, at least i hope to be! geez

this computer used to be fast!

you have already helped me so so much, if you have a paypal account i'd be happy to help you as well
Title: SOS!
Post by: guestolo on February 08, 2005, 02:10:10 PM: Just follow these instructions>>>Do what you can

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this on the Desktop, don't run it yet

Quote
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Download Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")

UNZIP the files to the folder of your choice.
Save this next part to a Notepad file on your desktop for easy access
Disconnect from the Net>>Close all unnecessary windows, including this one

Next: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- ixsnjearqzbj

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

If you can't find it
Open Hijackthis>>Open Misc tools>>Open Process Manager
Kill this process if still running
C:\WINDOWS\System32\qbrurzrw5.exe

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll
O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINDOWS\System32\WinTitle.dll

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer

O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com

O23 - Service: ixsnjearqzbj - Unknown - C:\WINDOWS\System32\qbrurzrw5.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

With only the Notepad file open for reference

Double-click on Killbox.exe to run it
Click on Tools>>>Delete Temp files

Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to Replace on Reboot
Also mark Use Dummy

Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\System32\qbrurzrw5.exe

C:\WINDOWS\iconu.exe

C:\WINDOWS\msxmidi.exe

C:\WINDOWS\NDNuninstall6_22.exe

C:\WINDOWS\SSK_B5.EXE

C:\WINDOWS\woinstall.exe

C:\WINDOWS\System32\cp.exe

C:\WINDOWS\System32\dddd.exe

C:\WINDOWS\System32\dfe.exe

C:\WINDOWS\System32\eliteztm32.exe

C:\WINDOWS\System32\eree.exe

C:\WINDOWS\System32\fgrr.exe

C:\WINDOWS\System32\htt.exe

C:\WINDOWS\System32\mqexdlm.srg

C:\WINDOWS\System32\netut80ex.vxd

C:\WINDOWS\System32\nndptyl.exe

C:\WINDOWS\System32\Xcite2.exe

C:\WINDOWS\System32\brew.dll

C:\WINDOWS\System32\WinTitle.dll

C:\WINDOWS\System32\brew.dll

C:\WINDOWS\BTGrab.dll

C:\WINDOWS\System32\iwdwin.dll

C:\WINDOWS\System32\KVIF_7.dll

C:\WINDOWS\System32\l06olaj31do.dll

C:\WINDOWS\System32\LMWND13n.DLL

C:\WINDOWS\System32\lvno0953e.dll

C:\WINDOWS\System32\o884lilq18qe.dll

C:\WINDOWS\System32\s8pu0i79e8.dll

C:\WINDOWS\System32\SHAgentNew.dll

C:\WINDOWS\System32\tarmmgr.dll

C:\WINDOWS\System32\WinSuck.dll

C:\WINDOWS\System32\Xcite.dll

When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot

Please Restart the computer into Safe mode at this time
You can enter safe mode by tapping the F8 key on the keyboard as the computer is booting up

In safe mode

Ensure that this folder is gone
C:\WINDOWS\isrvs <--this folder

Stay in safe mode and run Windows CleanUp!
Let it finish Scanning
When it's done, don't log or restart your computer yet

Instead
Double click on fix.reg and allow it to merge to the Registry

Restart back to Normal mode

Run the L2mfix
Here are the Instructions again
I'll assume you have already downloaded and click the Install

Quote
open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Do not Reboot your computer either

Don't worry about any error message you may receive with Killbox, just carry on
Title: SOS!
Post by: guestolo on February 08, 2005, 02:13:17 PM: I don't want to see a new log at this time

Slow down, your making this difficult for removal
Title: SOS!
Post by: boogieonrw on February 08, 2005, 02:14:27 PM: everytime i get back into windows now, it has a problem loading my profile (the desktop etc.)

should i still go ahead and do the work from the point i am in here, or keep trying to restart and get the right desktop (the only reason i ask is because when this happend before, the files i downloaded were lost)
Title: SOS!
Post by: guestolo on February 08, 2005, 02:16:39 PM: Can you just try and do what I posted above
I really have no idea where your at right now in any of the fixes
Title: SOS!
Post by: boogieonrw on February 08, 2005, 02:43:25 PM: crossing fingers
Title: SOS!
Post by: guestolo on February 08, 2005, 02:51:11 PM: I hope your posting this from another computer
You shouldn't be online well doing the fixes?
Title: SOS!
Post by: boogieonrw on February 08, 2005, 03:47:14 PM: okay, everything seems to have worked except that l2mfix just stopped after a while and never opened a log.

but, it did save a log ... a few files called test 1, etc... and each said "{Da920D5B-962A-4A04-892B-E10c480955F5}"

this is another computer i'm using, and the internet was turned off on the other.

it seems to be running smoothly now...does that mean we are done?
Title: SOS!
Post by: guestolo on February 08, 2005, 03:53:21 PM: I'm not sure if you read the instructions from what I posted
I'll post them one more time

Quote
open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If the above doesn't work try running the scan in safe mode, but give it time to finish
Title: SOS!
Post by: boogieonrw on February 08, 2005, 04:02:47 PM: okay, safe mode was the answer

thank you for your patience.... this is an aggravating matter, and for you to do this really means a lot to me and my family.

L2MFIX find log 1.02a
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D2AD9633-36F1-4338-AA11-469CA091B890}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{8F7261D0-D2B9-11D2-9909-00605205B24C}"="CuteFTP Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{B5FB6487-7E79-4816-B73B-8A65E41971DA}"="BullGuard Antivirus v4"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{DA920D5B-962A-4A04-892B-E10C480955F5}"=""
"{B089FE88-FB52-11d3-BDF1-0050DA34150D}"="NOD32 Context Menu Shell Extension"

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DA920D5B-962A-4A04-892B-E10C480955F5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DA920D5B-962A-4A04-892B-E10C480955F5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DA920D5B-962A-4A04-892B-E10C480955F5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DA920D5B-962A-4A04-892B-E10C480955F5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DA920D5B-962A-4A04-892B-E10C480955F5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DA920D5B-962A-4A04-892B-E10C480955F5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
brew.dll Mon Feb 7 2005 9:08:36p ..... 7,680 7.50 K
brew32.dll Mon Feb 7 2005 11:54:52p A.... 27 0.02 K
imon.dll Mon Feb 7 2005 4:40:48p A.... 245,760 240.00 K
iwdwin.dll Tue Feb 1 2005 9:45:02a ..... 167,936 164.00 K
k644lg~1.dll Fri Feb 4 2005 1:45:12a ..S.R 229,736 224.35 K
l06ola~1.dll Fri Feb 4 2005 12:01:10p ..... 230,619 225.21 K
lvno09~1.dll Fri Feb 4 2005 11:59:40a ..... 230,397 224.99 K
mskr32.dll Thu Jan 27 2005 11:03:14p ..... 98,926 96.61 K
nms32.dll Mon Feb 7 2005 4:40:50p A.... 114,688 112.00 K
o884li~1.dll Fri Feb 4 2005 12:30:04p ..... 230,038 224.64 K
s8pu0i~1.dll Fri Feb 4 2005 1:50:10a ..... 230,038 224.64 K
tarmmgr.dll Fri Feb 4 2005 11:59:40a ..... 230,038 224.64 K
winsuck.dll Tue Feb 8 2005 10:33:52a ..... 17,920 17.50 K
winun32.dll Sun Jan 30 2005 4:04:46a A.... 0 0.00 K

14 items found: 14 files (1 H/S), 0 directories.
Total of file sizes: 2,033,803 bytes 1.94 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 12:28 PM <DIR> dllcache
02/04/2005 01:45 AM 229,736 k644lghq164e.dll
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 01:03 PM <DIR> Microsoft
17 File(s) 1,222,104 bytes
2 Dir(s) 5,886,500,864 bytes free
Title: SOS!
Post by: guestolo on February 08, 2005, 04:09:05 PM: Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]
Title: SOS!
Post by: boogieonrw on February 08, 2005, 05:59:41 PM: okay...i left the program running for something like 2 hours, and it still didn't open any notepad, should i restart or continue allowing it to possibly do something....

originally, the program only worked in safe mode
so is there any way that i can have it completely run in safe mode?

here's exactly what happend:

i started in safe mode. i ran the program. it said it needed to restart to complete, it counted down, it restarted
i logged on. it said it loaded. it said it was searching, please wait

and that's wehre we are

the program looks frozen (the little red line is not blinking)
Title: SOS!
Post by: guestolo on February 08, 2005, 06:48:37 PM: It won't probably work in Safe mode

We must try another method

Let's try this first>>something is getting in the way and I'm not seeing any updates on this situation

download and save it to desktop Remv3.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=17\")
UNZIP the contents to a folder

IMPORTANT>>and you must be In safe mode for this too work
With windows set to Show Hidden Files and Folders

In safe mode open the folder you unzipped the contents of remv3.zipand Double click on
remv3.bat
Let it run until the dos window closes

RESTART back to Normal mode

Remv3.bat would of produced a log
Navigate to c:\log.txt and post the whole contents of this log

Also post a fresh hijackthis log

Please stop bouncing back and forth from Normal mode to safe mode as minimally as you have to
Your making this very difficult, we still have a bit of cleaning to do and your allowing these infections to multiply

You really have to just let me know what the problems are, STOP and wait for instructions
Title: SOS!
Post by: boogieonrw on February 08, 2005, 07:58:39 PM: okay- i am right there.

my computer is starting in normal mode now... the log file did save to the hard drive, i saw it there

but now the c command thing is open from earlier, the same one that wouldn't really close

it says

"killing explorer and rundll32.exe
the system cannot find the path specified
0 files copied
scanning first pass. please wait"

this is the screen where i waited for a whole 2 hours before, however it said 1 file copied originally

thanks, awaiting your instruction

jordan
Title: SOS!
Post by: guestolo on February 08, 2005, 08:03:04 PM: If the scan finishes with L2Mfix
Post both logs from L2mfix and Remv3.bat

Also post a fresh hijackthis log

And try not too do anything else until I get a chance to see all logs, thanks

I'm stepping out for a bit so I'll see the logs when I get back

EDIT>>the scan shouldn't take no 2 hours
Tops 5 minutes
If you can't get the scan to finish post me the Log.txt from within the L2mfix folder

If you can't get into Windows in Normal mode

First Hit (Ctrl+Alt+Del) on your keyboard to bring up the Task manager

End task on L2mfix

Then click on FILE in the Task manager
New Task(Run)
Type in
explorer.exe
and hit OK

That should get you back to Windows in Normal mode

I need to see some logs
Title: SOS!
Post by: boogieonrw on February 08, 2005, 09:39:20 PM: i had to remove the l2mfix from starting during safemode in hijackthis, otherwise it kept opening and freezing,
i also removed my outdated mcaffee from starting because when too much stuff was starting it had an aversion for freezing... i

here's the log.txt

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll

and hijack this

Logfile of HijackThis v1.99.0
Scan saved at 9:37:12 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=73SRG31&cid=7685&appurl=http://us.mcafee.com/apps/AppCommon/updreg.asp?app=http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-01&installtype=force&dtag=73SRG31&lpname=vsotrial90&langid=1&systempopup=true\") (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe

Finished
Title: SOS!
Post by: guestolo on February 08, 2005, 09:42:49 PM: In the L2mfix folder should be a log called log.txt
Can you post that here please
Title: SOS!
Post by: boogieonrw on February 08, 2005, 10:22:27 PM: this is lo2.txt

figure it may be what you're lookin for

L2Mfix 1.02a

Running From:
C:\Documents and Settings\jordan\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    Everyone
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\jordan\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\jordan\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1976 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe
Title: SOS!
Post by: boogieonrw on February 08, 2005, 10:43:19 PM: my daughter switched users on the computer with a virus (who knows why)
and all of the desktop icons opened

dddd.exe
tvshdg.exe
IEXPLORER (caps locs)

and all of those other demon programs were running....i don't know what that means, but ...
i'll post another hijackthis log
Title: SOS!
Post by: boogieonrw on February 08, 2005, 10:45:15 PM: Logfile of HijackThis v1.99.0
Scan saved at 10:45:30 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=73SRG31&cid=7685&appurl=http://us.mcafee.com/apps/AppCommon/updreg.asp?app=http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-01&installtype=force&dtag=73SRG31&lpname=vsotrial90&langid=1&systempopup=true\") (obfuscated)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab (http://\"http://searchmiracle.com/cab/10.cab\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
Title: SOS!
Post by: boogieonrw on February 08, 2005, 11:47:21 PM: is there any way for me to condense all of the users on my computer down to only one user? i have XP

you know, kind of get rid of the other profiles....so i'm only really dealing with one computer and one set of files running, etc.

i was thinking perhaps this would be easier for me to fix the virus if this was possible.

in any event. upon restarting under my user name, it is running more smoothly than it was on hers, however the tvgmd or whatever it was called, and a program called packager.exe and also every once in a while a program called calc.exe are running in my task manager and are not allowing a close.

it's really a shame about this whole l2mfix dillema,
do u think the virus is stopping it from running? before that series of restarts in order to get the l2mfix to complete.... the virus seemed basically contained- it hadn't been running during the hijackthis checks and also in my task manager...

that file ixgnear or whatever it was (the one i disabled starting automatically)
has disappeared (i checked on it while in safe mode running the l2mfix, just out of curiousity - to see if it had stayed disabled)
i thought that was weird.

thanks a lot, you really go above and beyond, and i hope that you are making money somehow from this site, let me know if you aren't and i'll take care of you
Title: SOS!
Post by: guestolo on February 09, 2005, 12:28:42 AM: Well, we still have to do some cleaning

Ensure that you have Notepad.exe in both these locations
C:\WINDOWS and C:\WINDOWS\System32 folders
If one or both are missing download a new copy from this link
http://www.merijn.org/winfiles.html#notepad (http://\"http://www.merijn.org/winfiles.html#notepad\")
Save to desktop and UNZIP to both those folders

Download and Install
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
Hold onto this and check for updates every couple of weeks

Ensure you still have Searchmiracle.reg and Hoster

From this account

Open Hijackthis>>Open Misc Tools>>Open Process Manager and kill these processes
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\windows\system32\packager.exe

Do another scan with Hijackthis and put a check next to these entries

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe

O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab (http://\"http://searchmiracle.com/cab/10.cab\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Click FIX CHECKED, be sure all other windows are closed

RESTART your computer into safe mode

Find and delete
C:\WINDOWS\isrvs <--this folder
c:\windows\system32\tvshdg.exe <--file

Double click on Searchmiracle.reg and allow to merge to the registry

Open Hoster and Restore Original hosts

Run Windows CleanUp! in Safe mode

RESTART back to Normal mode

I need you to Redownload
eScan in case it was updated, you can delete your old copy
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

Also, I'm uploading a file called Findit.zip
UNZIP the contents to a folder, then open that folder and double click on Find.bat. It will run for awhile (should be no longer than 15 minutes) then produce a log (ignore any File not found messages on the screen)
Please copy and paste the contents of the log to this thread please.

Also post a fresh hijackthis log from this log>>We'll Call Log2

Could I have you do one more thing for me, I'm hoping we almost got all of it

Can you go to START>>RUN>>type cmd
Hit ok

Type these into the command prompt box hitting Enter after each

cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit

The below is how to input

cd\<enter>
cd+%windir%\system32<enter>
dir+/a:-d+/o:-d+>+%systemdrive%\system32.txt<enter>
start+%systemdrive%\system32.txt<enter>
cls<enter>
exit<enter>

NOTE: Don't include the + signs when entering the commands
That is just to indicate where there is a space

A long log should popup
Can you include that log back here please

A few logs to show me, but can you try and show them all, thanks
Do what you can and post back what you can, I may not see the results until tomorrow, so good luck /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

EDIT>>I added a process to kill with hijackthis before you apply the fixes
If I'm too late, that's ok carry on
C:\windows\system32\packager.exe

[attachment=18:attachment]
Title: SOS!
Post by: boogieonrw on February 09, 2005, 01:08:35 AM: small problem-

tvs.... there is no file named that... is this okay?
not on my computer at all, which is strange because i seem to catch it running quite often
Title: SOS!
Post by: guestolo on February 09, 2005, 01:12:36 AM: If you have to, before you restart back to Normal mode

Open Kill box and input this into the Full path of file to delete

C:\windows\system32\tvshdg.exe

Put a tick on Replace on Reboot
and Use Dummy
Then click the RED X button

Allow it to Restart
Make this the last thing you do before restarting back to Normal mode

If you experience any errors on startup, don't worry and try and do everything else posted
I need to see the logs.........

I almost forgot, can I get you to run Service filter again
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

I'm throwing a lot of logs at you but I'm hoping these are the last ones
Title: SOS!
Post by: boogieonrw on February 09, 2005, 09:09:30 AM: File C:\WINDOWS\explorer.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Explorer.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addah32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addyx.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\apiok32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appbu32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appcr32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appvg32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crkp32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crne32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crqo.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cruh.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d3fm32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d3ui32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iebc.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ienm.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ipgn32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ipko32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\javaqv.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mfckx.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mspf.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mstl32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msxmidi.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\netfd32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\netsa32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ntjg.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ntqc32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sdked32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysfe.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysfh32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysiz32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysvg.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\winlb32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\addcr32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\apitu.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\apiwi32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\appgo32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\crbt.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\crza.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\d3bl.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\d3ea.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\d3tj32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eliteztm32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ipdy32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ipmp.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ipxm32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\javaul.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mfchc32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msab.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msfe.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msjy32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msyz.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netoh.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\neton.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netxh32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nndptyl.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nteu.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ntod.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ntqm.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\System32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sdklk.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sysal32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sysdl.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wbfkfebl.dll infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wined32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\HJT\backups\backup-20050207-220637-306.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-433.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-968.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-313.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-432.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-651.dll infected by "Trojan.Win32.Golid.e" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-918.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-143714-783.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-174.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-354.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-922.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050209-004902-169.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\ntdetect.hta infected by "Trojan-Dropper.VBS.Inor.cj" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\aim95.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\FLPIUOBA.NQF infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\RMAD2MAA.NQF infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\Program Files\TopConverting\arkanoid\arkanoid.exe infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049394.new infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049395.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049403.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049404.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049407.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050400.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050409.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050410.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050413.exe infected by "not-a-virus:AdWare.PowerScan.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050425.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050430.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050434.exe infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050443.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050444.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050447.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053437.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053438.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053444.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053445.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053446.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053450.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053456.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053457.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053458.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0054441.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0054450.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0055437.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056445.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056449.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056450.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056451.exe infected by "Trojan-Dropper.Win32.Tibsis.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056452.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056453.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056454.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056457.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056458.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056461.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056463.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056508.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056510.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056511.exe infected by "Trojan-Dropper.Win32.Small.rx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056512.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056513.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056514.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056516.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059535.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059537.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059548.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059550.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059585.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059586.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059587.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059594.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059596.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059603.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059605.dll infected by "Trojan.Win32.Golid.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059606.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059607.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059612.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059613.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059614.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059626.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059627.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059630.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059635.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059644.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059646.exe infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059647.exe infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059652.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059653.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059654.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059657.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059658.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059659.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059660.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059661.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059662.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059664.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059667.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059669.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062695.exe infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062696.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062698.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062699.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062700.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062701.exe infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062703.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0063688.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0063694.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065690.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065691.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065693.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065695.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065701.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065704.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0067740.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0069697.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077740.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077743.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077756.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077765.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077766.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077768.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077769.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077771.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077772.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077774.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077794.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077796.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077979.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078202.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078219.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078222.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078224.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addah32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addyx.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\apiok32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appbu32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appcr32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appvg32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crkp32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crne32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crqo.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cruh.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d3fm32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d3ui32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\YSBactivex.dll infected by "Trojan-Downloader.Win32.IstBar.gz" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iebc.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ienm.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\inst\3p1.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ipgn32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ipko32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\javaqv.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mfckx.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mspf.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mstl32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msxmidi.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\netfd32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\netsa32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ntjg.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ntqc32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sdked32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysfe.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysfh32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysiz32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\addcr32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\apitu.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\apiwi32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\appgo32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\crbt.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\crza.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3bl.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3ea.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3tj32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dllcache\explorer.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\eliteztm32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipdy32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipmp.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipxm32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\javaul.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mfchc32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msab.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msfe.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msjy32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msyz.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netoh.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\neton.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netxh32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\nndptyl.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\nteu.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ntod.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ntqm.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\system32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sdklk.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sysal32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sysdl.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wbfkfebl.dll infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wined32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysvg.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\winlb32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
Title: SOS!
Post by: boogieonrw on February 09, 2005, 09:52:32 AM: Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\jordan\Desktop\Find_It_NT_2K_XP-1\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/09/2005 12:43 AM <DIR> dllcache
02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 01:45 AM 229,736 k644lghq164e.dll
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 01:03 PM <DIR> Microsoft
17 File(s) 1,222,104 bytes
2 Dir(s) 6,071,160,832 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/09/2005 12:43 AM <DIR> dllcache
02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 12:38 PM 488 WindowsLogon.manifest
12/18/2003 12:38 PM 488 logonui.exe.manifest
12/18/2003 12:38 PM 749 sapi.cpl.manifest
12/18/2003 12:38 PM 749 cdplayer.exe.manifest
12/18/2003 12:38 PM 749 ncpa.cpl.manifest
12/18/2003 12:38 PM 749 nwc.cpl.manifest
12/18/2003 12:38 PM 749 wuaucpl.cpl.manifest
23 File(s) 997,089 bytes
1 Dir(s) 6,071,156,736 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D2AD9633-36F1-4338-AA11-469CA091B890}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
d3ea.exe Thu Feb 3 2005 2:31:00p A.SH. 10,824 10.57 K
d3wq.exe Fri Feb 4 2005 1:29:44a A.SH. 0 0.00 K
ipxm32.exe Thu Jan 20 2005 8:55:58a A.SH. 10,824 10.57 K
k644lg~1.dll Fri Feb 4 2005 1:45:12a ..S.R 229,736 224.35 K
kwxle.txt Mon Feb 7 2005 4:02:12p A.SH. 0 0.00 K
msjy32.exe Sun Jan 30 2005 8:39:30a A.SH. 11,467 11.20 K
msyz.exe Sun Jan 23 2005 7:37:42p A.SH. 29,256 28.57 K
miexec~1.exe Tue Feb 1 2005 9:42:42a ..SHR 413,696 404.00 K
netxh32.exe Sun Jan 23 2005 3:41:36p A.SH. 29,256 28.57 K
ntod.exe Sun Jan 23 2005 8:27:44p A.SH. 29,256 28.57 K
ntqm.exe Sun Jan 23 2005 9:10:40p A.SH. 10,824 10.57 K
rgsvr3~1.exe Tue Feb 1 2005 9:45:40a ..SHR 413,696 404.00 K
sdklk.exe Thu Jan 20 2005 8:35:14p A.SH. 11,550 11.28 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1,200,385 bytes 1.14 M

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
Title: SOS!
Post by: boogieonrw on February 09, 2005, 09:54:33 AM: Logfile of HijackThis v1.99.0
Scan saved at 9:54:54 AM, on 2/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=73SRG31&cid=7685&appurl=http://us.mcafee.com/apps/AppCommon/updreg.asp?app=http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-01&installtype=force&dtag=73SRG31&lpname=vsotrial90&langid=1&systempopup=true\") (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
Title: SOS!
Post by: boogieonrw on February 09, 2005, 10:01:09 AM: Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\system32

02/08/2005 10:42 PM 608 imon1.dat
02/08/2005 03:22 PM 56 QBRURZ~1.EXE
02/08/2005 02:10 PM 25,065 wmpscheme.xml
02/08/2005 02:01 PM 4,560 311375.exe
02/08/2005 02:01 PM 679 titles.ini
02/08/2005 02:01 PM 38 a.bat
02/08/2005 02:01 PM 1,634 306203.exe
02/08/2005 02:01 PM 4,560 304390.exe
02/08/2005 02:01 PM 8 hfkro.t4y
02/08/2005 10:33 AM 17,920 WinSuck.dll
02/07/2005 11:54 PM 27 brew32.dll
02/07/2005 11:53 PM 2 wapiit.exe
02/07/2005 09:08 PM 7,680 brew.dll
02/07/2005 04:42 PM 986 mapisvc.inf
02/07/2005 04:40 PM 114,688 nms32.dll
02/07/2005 04:40 PM 245,760 imon.dll
02/07/2005 04:02 PM 0 kwxle.txt
02/07/2005 03:54 PM 129 _t.bat
02/07/2005 03:12 PM 2,206 wpa.dbl
02/07/2005 02:27 PM 15,872 nndptyl.exe
02/07/2005 02:27 PM 28,160 dgdgd.exe
02/07/2005 12:56 PM 8 jdslg.rrh
02/04/2005 12:30 PM 230,038 o884lilq18qe.dll
02/04/2005 12:01 PM 230,619 l06olaj31do.dll
02/04/2005 11:59 AM 230,038 tarmmgr.dll
02/04/2005 11:59 AM 230,397 lvno0953e.dll
02/04/2005 06:33 AM 8,192 vx1x.nls
02/04/2005 06:33 AM 8,192 vx1.nls
02/04/2005 01:50 AM 230,038 s8pu0i79e8.dll
02/04/2005 01:45 AM 229,736 k644lghq164e.dll
02/04/2005 01:34 AM 168,644 netut80ex.vxd
02/04/2005 01:33 AM 8,192 vx0.nls
02/04/2005 01:33 AM 1,101,470 mac80ex.idf
02/04/2005 01:32 AM 192 my.preferences.xml
02/04/2005 01:32 AM 426,223 cp.exe
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:45 AM 167,936 iwdwin.dll
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 01:43 PM 10,824 nteu.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/30/2005 04:04 AM 0 winun32.dll
01/29/2005 01:18 AM 10,824 mfchc32.exe
01/27/2005 11:03 PM 98,926 mskr32.dll
01/26/2005 03:20 AM 10,824 ipdy32.exe
01/26/2005 03:19 AM 29,256 wined32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
01/18/2005 04:16 PM 73,728 ezPopStub.exe
01/17/2005 05:16 PM 10,824 d3tj32.exe
01/13/2005 09:41 PM 126,976 zip.exe
01/13/2005 09:41 PM 90,112 RegDACL.exe
01/13/2005 09:41 PM 39,184 Ntrights.exe
01/13/2005 09:41 PM 53,248 Process.exe
01/13/2005 09:41 PM 24,576 Reboot.exe
01/05/2005 05:24 PM 32,378 exclean.exe
01/05/2005 03:36 PM 110,592 mqexdlm.srg
Title: SOS!
Post by: boogieonrw on February 09, 2005, 10:12:54 AM: The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 9, 2005 10:13:42 AM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: NOD32krn
Display Name: NOD32 Kernel Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\eset\nod32krn.exe
State: Running
Process ID: 1140
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{4af1c4a9-7593-4159-a089-20000a4dfd3b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 79 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 2.9375 seconds.
Title: SOS!
Post by: guestolo on February 09, 2005, 03:55:44 PM: Your machine is heavily infected,

If you want to try and clean this out it will take patience

We have to get rid of the VX2 infection
But first I need you to do something

Print off all the locations that the Scan from eScan found bad files

Don't do nothing with them yet
Also save a copy to Notepad so you can use it as a reference

Can you ensure that Windows is set to show Hidden files and folders

Navigate to these locations
C:\WINDOWS\explorer.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe

Don't do nothing with them yet, there are legitimate files in this location that you cannot get rid of
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe
If you right click on them, the correct file size should be approximately
.98 MB <--this is legit
What do you see on your computer?
Do you only see one explorer.exe in each folder?
Explorer folder in the C:Windows\ folder is legit, should be minimal in size
4 kb approx.

Some of these fixes will have to be done with Killbox
Title: SOS!
Post by: boogieonrw on February 09, 2005, 08:05:22 PM: there are only one explorer in each folder, and they are both 985 KB

the one in windows, however, says it was created on january 18 2005 at 12:15 pm.... that seems odd

how do i print out the locations escan found bad files?
Title: SOS!
Post by: guestolo on February 09, 2005, 08:43:13 PM: Open up a Notepad file

Highlight all the information from the eScan and right click and copy it and then paste it to the Notepad file
Save this on the desktop

Open it up and click
Click FILE at the top and then PRINT

Also keep this notepad file on the desktop because your going to need it

This is important
Go back to explorer.exe
in the System32\DllCache folder

If you right click on it what is the date it was created and modified on?

The one in the C:\Windows folder, what is the date it was created and modified?
I want to ensure we have this correct
And then we'll go from there

Let me know the info and make sure you have that info saved

Also ensure that there is only one instance of
explorer.exe or Explorer.exe
in each folder
There should only be one instance>>Regardless of the capital E
Title: SOS!
Post by: boogieonrw on February 09, 2005, 10:25:24 PM: the one in the dllcache file was created on september 3, 2202
but modified 4 days ago

the one in the windows file was created january 18,and modified then too

when i searched for it, however- i found that there is a prefetch also.

there is only one instance.

i am going to sleep in a few, i'll print out the log stuff tomorrow, is that alright or should this stuff be tackled asap

it's been running ever since the last hijackthis, and hasn't frozen yet
Title: SOS!
Post by: guestolo on February 09, 2005, 10:46:48 PM: Both seem to be corrupt, I think we're dealing with a new bad guy

Can you do me a favor and navigate to this
file
C:\WINDOWS\ServicePackFiles\i386\explorer.exe
If you can find it>>it's a legit file

Right click on it and left click properties

Let me know the size
Creation date
and
Modification date

Don't double click on it or click OPEN, Just what I asked above
Title: SOS!
Post by: boogieonrw on February 10, 2005, 02:16:29 AM: i don't have a folder with that name- can it be under another?

EXPLORER.exe was running at one point in the hight of my virus...i'll search the hard drive to see how many of them i have and where
Title: SOS!
Post by: boogieonrw on February 10, 2005, 02:25:59 AM: yeah...no more ...in the search of c:\ it only came up with the one under windows, however we did manually find 2...
Title: SOS!
Post by: guestolo on February 10, 2005, 12:15:51 PM: Do you have your XP CD
Can you put it in
Expand >>Perform additional tasks and browse the cd
Do you see the i386 folder
If you open it up do you see
EXPLORE.EX_
if you right click on it, should be about
340kb in size
Can you copy and paste from the CD to let's say>>>MyDocuments
Title: SOS!
Post by: boogieonrw on February 10, 2005, 12:27:48 PM: i'll look for the cd, may take a while
is there a spot i can search for it online?
Title: SOS!
Post by: guestolo on February 10, 2005, 12:38:13 PM: I've PM'ed you, can you check your messages

[attachment=23:attachment]

======================================================

PRINT THIS OUT

Ensure all other Users on the computer are logged out

Can you access your Internet options via Control Panel
Under the Security tab..Custom level
ensure these are marked
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

IF you can I need you to DISABLE System Restore
This link will explain how to do it
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
After you have System Restore disabled>>Carry on if it won't disable, but this is preferred

Go to this link >>>Online virus scan at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm (http://\"http://www.pandasoftware.com/activescan/com/activescan_principal.htm\")
Don't start it yet
Now, this is VERY IMPORTANT
Close out all unnecessary programs running in the background
Close out all Windows, that includes Outlook Express>>>Only leave the Page to Panda's open

Bring up the Task Manager(right click the bottom taskbar and select Task Manager)
End process on these if you can

"explorer.exe", all instances, should be only one <---this will cause all your Icons and taskbar to disappear

Then try and end process on these if running
"desktop.exe"
"tvshdg.exe"

After that is done you will have only the Task Manager and the page from Panda's open
Click the SCAN MY PC button>>>This should bring up a pop up window from Panda's
Close down the IE page that I linked you to Panda's but keep their popup window open

Now you have Panda's popup window open and the Task Manager

Click the NEXT button>>If prompted at any time to install an Active X allow it
Supply an email address
Let it load the activex control and load the virus definitions

To start the scan ensure you select My Computer or My whole computer
Something like that

Let it completely finish scanning, don't use the computer at all

When the scan is done, this part I will have to rely on you,follow any prompts you get to close out
they may email you a report
We don't need it yet, if they do

When the scan is complete
In Task Manager click FILE at the top
Then Click NEW TASK (Run)
In the open field type in
"explorer.exe" without the quotes and then click OK

This should bring back up the Desktop Icons and Taskbar
Go back into the Control Panel>>Internet options>>Security>>Custom level and ensure that
The settings mentioned above are still set

Immediately come back to the forum
Redownload the Mwav scan from eScan
Let it scan your computer and Post back the results at the forum in your reply

And once again post back at the forum a new Hijackthis log

If Panda emailed you a log or if you can get the results later online can you post those too, thanks

But after posting the above, please don't restart your computer
And please don't logon to any other users on the computer
Try not too surf on the net, except what is needed>>>this could cause reinfection
Title: SOS!
Post by: boogieonrw on February 11, 2005, 08:05:23 PM: File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\System32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\014D63SJ\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\jordan\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\ewhtt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Local Settings\Temporary Internet Files\Content.IE5\014D63SJ\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Local Settings\Temporary Internet Files\Content.IE5\89SF0L8N\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Local Settings\Temporary Internet Files\Content.IE5\89SF0L8N\js[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Local Settings\Temporary Internet Files\Content.IE5\89SF0L8N\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-306.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-433.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-968.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-313.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-432.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-918.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-143714-783.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-174.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-354.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-922.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050209-004902-169.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\aim95.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\FLPIUOBA.NQF infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\RMAD2MAA.NQF infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\Program Files\TopConverting\arkanoid\arkanoid.exe infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049394.new infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049395.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049403.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049404.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049407.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050400.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050409.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050410.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050413.exe infected by "not-a-virus:AdWare.PowerScan.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050425.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050430.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050434.exe infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050443.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050444.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050447.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053438.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053444.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053445.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053446.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053450.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053456.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053457.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053458.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0054441.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0054450.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0055437.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056445.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056449.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056451.exe infected by "Trojan-Dropper.Win32.Tibsis.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056452.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056453.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056458.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056461.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056463.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056508.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056510.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056511.exe infected by "Trojan-Dropper.Win32.Small.rx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056512.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056513.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056514.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056516.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059535.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059537.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059548.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059550.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059585.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059586.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059587.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059594.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059596.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059603.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059605.dll infected by "Trojan.Win32.Golid.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059606.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059607.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059612.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059613.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059614.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059626.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059627.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059630.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059635.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059644.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059646.exe infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059647.exe infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059652.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059653.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059654.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059657.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059658.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059659.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059660.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059661.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059662.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059664.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059667.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059669.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062695.exe infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062696.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062698.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062699.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062700.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062701.exe infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062703.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0063694.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065690.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065691.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065693.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065695.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065701.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065704.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0067740.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077740.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077743.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077756.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077765.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077766.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077768.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077769.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077771.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077772.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077774.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077794.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077796.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077979.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078202.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078219.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078222.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078224.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078250.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078252.dll infected by "Trojan.Win32.Golid.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078253.hta infected by "Trojan-Dropper.VBS.Inor.cj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078254.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078256.dll infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\YSBactivex.dll infected by "Trojan-Downloader.Win32.IstBar.gz" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\inst\3p1.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\system32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
Title: SOS!
Post by: boogieonrw on February 11, 2005, 08:06:01 PM: Incident Status Location

Virus:Trj/Admincash.A Disinfected C:\Documents and Settings\jordan\dfe.exe
Virus:Trojan Horse Disinfected C:\HJT\backups\backup-20050208-104237-651.dll
Virus:VBS/Inor.gen Disinfected C:\ntdetect.hta
Virus:Trj/Admincash.A Disinfected C:\WINDOWS\explorer.exe
Virus:Trj/Admincash.A Disinfected C:\WINDOWS\system32\dllcache\explorer.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050204-014604.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050204-014606.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050204-111220.backup
Virus:Trj/Agent.FN Disinfected C:\WINDOWS\system32\dvqbyeqz.dll
Virus:Trj/Agent.FN Disinfected C:\WINDOWS\system32\wbfkfebl.dll
Title: SOS!
Post by: boogieonrw on February 11, 2005, 08:22:19 PM: Logfile of HijackThis v1.99.0
Scan saved at 8:23:10 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd.asp?affid=105-01&lpname=vsotrial90&dtag=73SRG31&cid=7685&appurl=http://us.mcafee.com/apps/AppCommon/updreg.asp?app=http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-01&installtype=force&dtag=73SRG31&lpname=vsotrial90&langid=1&systempopup=true\") (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
Title: SOS!
Post by: boogieonrw on February 11, 2005, 09:16:18 PM: Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\jordan\Desktop\Find_It_NT_2K_XP-2\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/09/2005 12:43 AM <DIR> dllcache
02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 01:45 AM 229,736 k644lghq164e.dll
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 01:03 PM <DIR> Microsoft
17 File(s) 1,222,104 bytes
2 Dir(s) 5,989,429,248 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/09/2005 12:43 AM <DIR> dllcache
02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 12:38 PM 488 WindowsLogon.manifest
12/18/2003 12:38 PM 488 logonui.exe.manifest
12/18/2003 12:38 PM 749 sapi.cpl.manifest
12/18/2003 12:38 PM 749 cdplayer.exe.manifest
12/18/2003 12:38 PM 749 ncpa.cpl.manifest
12/18/2003 12:38 PM 749 nwc.cpl.manifest
12/18/2003 12:38 PM 749 wuaucpl.cpl.manifest
23 File(s) 997,089 bytes
1 Dir(s) 5,989,425,152 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D2AD9633-36F1-4338-AA11-469CA091B890}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
d3ea.exe Thu Feb 3 2005 2:31:00p A.SH. 10,824 10.57 K
d3wq.exe Fri Feb 4 2005 1:29:44a A.SH. 0 0.00 K
ipxm32.exe Thu Jan 20 2005 8:55:58a A.SH. 10,824 10.57 K
k644lg~1.dll Fri Feb 4 2005 1:45:12a ..S.R 229,736 224.35 K
kwxle.txt Mon Feb 7 2005 4:02:12p A.SH. 0 0.00 K
msjy32.exe Sun Jan 30 2005 8:39:30a A.SH. 11,467 11.20 K
msyz.exe Sun Jan 23 2005 7:37:42p A.SH. 29,256 28.57 K
miexec~1.exe Tue Feb 1 2005 9:42:42a ..SHR 413,696 404.00 K
netxh32.exe Sun Jan 23 2005 3:41:36p A.SH. 29,256 28.57 K
ntod.exe Sun Jan 23 2005 8:27:44p A.SH. 29,256 28.57 K
ntqm.exe Sun Jan 23 2005 9:10:40p A.SH. 10,824 10.57 K
rgsvr3~1.exe Tue Feb 1 2005 9:45:40a ..SHR 413,696 404.00 K
sdklk.exe Thu Jan 20 2005 8:35:14p A.SH. 11,550 11.28 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1,200,385 bytes 1.14 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pav.sig: Qoologic

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\pav.sig: AsPack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
Title: SOS!
Post by: guestolo on February 11, 2005, 09:21:49 PM: One more log boogie and then you can sit back and let me write up a hopeful fix

I'm stepping out for a bit, not long
So please don't try and restart your computer or use it to browse until we do some cleaning

If you can, do it right now, Disable System Restore
Right-click My Computer -> Properties -> System Restore tab -> Check Disable System Restore.
Let me know if you can do it.....

Go to START>>RUN>>type in cmd
Hit OK
At the prompt type in these entries, excluding the = signs, see note

cd\WINDOWS\Downloaded Program Files (hit Enter)
dir=/a=/Q=*=>C:\dpflist.txt (hit Enter)
start=C:\dpflist.txt (hit Enter)

NOTE* DON'T enter the = signs when typing in those commands
Those are just there to let you know where the spaces are

Copy and Paste the log that appears and then Close out the command prompt
Title: SOS!
Post by: boogieonrw on February 11, 2005, 09:27:30 PM: thank you for your help man, you rock

my daughter named the computer, by the way.. haha...

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\Downloaded Program Files

02/11/2005 10:10 AM <DIR> BUILTIN\Administrators .
02/11/2005 10:10 AM <DIR> BUILTIN\Administrators ..
01/26/2005 04:03 PM 110,592 POOPYA\jordan asinst.dll
01/27/2005 09:09 AM 525 POOPYA\jordan asinst.inf
02/08/2005 10:42 AM <DIR> POOPYA\jordan CONFLICT.1
02/08/2005 10:42 PM <DIR> POOPYA\jordan CONFLICT.10
02/07/2005 05:13 PM <DIR> POOPYA\jordan CONFLICT.11
02/07/2005 05:13 PM <DIR> POOPYA\jordan CONFLICT.12
02/07/2005 06:45 PM <DIR> POOPYA\jordan CONFLICT.13
02/07/2005 06:45 PM <DIR> POOPYA\jordan CONFLICT.14
02/07/2005 09:43 PM <DIR> POOPYA\Administrator CONFLICT.15
02/07/2005 09:43 PM <DIR> POOPYA\Administrator CONFLICT.16
02/07/2005 10:24 PM <DIR> POOPYA\Administrator CONFLICT.17
02/07/2005 02:28 PM <DIR> POOPYA\jordan CONFLICT.2
02/07/2005 03:44 PM <DIR> POOPYA\jordan CONFLICT.3
02/07/2005 05:12 PM <DIR> POOPYA\jordan CONFLICT.4
02/07/2005 06:46 PM <DIR> POOPYA\jordan CONFLICT.5
02/07/2005 09:08 PM <DIR> POOPYA\jordan CONFLICT.6
02/07/2005 10:06 PM <DIR> POOPYA\jordan CONFLICT.7
02/08/2005 10:33 AM <DIR> POOPYA\jordan CONFLICT.8
02/08/2005 10:42 AM <DIR> POOPYA\jordan CONFLICT.9
12/18/2003 12:38 PM 65 BUILTIN\Administrators desktop.ini
10/14/1997 06:52 PM 697 BUILTIN\Administrators DirectAnimation Java Classes.osd
08/24/2004 02:39 PM 59,556 POOPYA\jordan Doremi.ttf
07/25/2002 03:13 PM 24,576 BUILTIN\Administrators dwusplay.dll
07/25/2002 03:13 PM 196,608 BUILTIN\Administrators dwusplay.exe
03/28/2002 04:05 PM 1,268 POOPYA\jordan erma.inf
07/12/2000 03:02 AM 36,864 POOPYA\jordan fxfileop.dll
09/15/2003 06:49 PM 388 POOPYA\ben imbum.inf
01/20/2003 09:44 AM 176,128 BUILTIN\Administrators isusweb.dll
11/20/2003 12:22 AM 740 POOPYA\jordan jinstall-1_4_2_03.inf
02/04/2005 01:31 AM 62,616 POOPYA\jordan loader2.ocx
01/20/2000 02:25 PM 1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
11/18/1999 01:49 PM 992 POOPYA\ben msaudio.inf
12/01/2004 01:30 AM 551 POOPYA\jordan OSDEB.OSD
10/09/2003 10:32 AM 144 POOPYA\ben QTPlugin.inf
03/13/2004 08:39 PM 9,807,846 POOPYA\jordan QuickTimeInstallCache.qdat
05/29/2002 11:12 PM 9,488 POOPYA\ben sporder.dll
12/08/2003 01:58 PM 3,759 POOPYA\jordan swflash.inf
04/05/2004 05:21 PM 20,480 POOPYA\ben UCSearch.ocx
10/31/2001 11:37 AM 118 POOPYA\jordan uninst.bat
12/01/2004 01:30 AM 13,824 POOPYA\jordan v3.dll
06/30/2003 10:41 PM 1,689 POOPYA\jordan WMV9VCM.inf
01/24/2005 01:14 PM 15,872 POOPYA\jordan YSBactivex.dll
08/17/2004 01:58 PM 227 POOPYA\jordan ysbactivex.inf
26 File(s) 10,546,775 bytes
19 Dir(s) 6,228,783,104 bytes free
Title: SOS!
Post by: guestolo on February 12, 2005, 01:24:38 AM: Let's go thru the steps
Some may not be necessary, but let's do it anyways

Ensure you have Hoster still in a convenient spot
Also ensure you still have fix.reg placed on your desktop for easy access
If not you can save it too notepad again>>>on page 2 of our replies
Related too the ZoneMap\Domains registry fix

Print this out so you can use it as a checklist
Also
Please save this too a Notepad file on your desktop >>>
Disconnect from the Internet>>>Disable System Restore, if you can and you haven't done so already
Close down All unnecessary programs running in the background
Keep all other users of the computer logged off

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (http://\"http://us.mcafee.com/root/landingpages/cd....ystempopup=true\") (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

ALL the 015 entries

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

With only your Notepad file open
Open Killbox.exe
Then bring up Taskmanager

Now you have this Notepad file that you saved>>>Killbox>>taskmanager open
End process on explorer.exe as you did before
May not be necessary at this point but let's not take a chance
Icons and Taskbar disappear

In Task Manager go to FILE>>>NEW TASK (RUN)
Type in cmd.exe
Hit OK

At the command prompt
type this again, remember there are no = signs, see Note below

cd\WINDOWS\Downloaded Program Files (hit Enter)
del=YSBactivex.dll (hit Enter)
del=ysbactivex.inf (hit Enter)
del=loader2.ocx (hit Enter)
del=OSDEB.OSD (hit Enter)
del=v3.dll (hit Enter)
Rmdir=/s=CONFLICT.1 (hit Enter)
Rmdir=/s=CONFLICT.2 (hit Enter)
Rmdir=/s=CONFLICT.3 (hit Enter)
Rmdir=/s=CONFLICT.4 (hit Enter)
Rmdir=/s=CONFLICT.5 (hit Enter)
Rmdir=/s=CONFLICT.6 (hit Enter)
Rmdir=/s=CONFLICT.7 (hit Enter)
Rmdir=/s=CONFLICT.8 (hit Enter)
Rmdir=/s=CONFLICT.9 (hit Enter)
Rmdir=/s=CONFLICT.10 (hit Enter)
Rmdir=/s=CONFLICT.11 (hit Enter)
Rmdir=/s=CONFLICT.12 (hit Enter)
Rmdir=/s=CONFLICT.13 (hit Enter)
Rmdir=/s=CONFLICT.14 (hit Enter)
Rmdir=/s=CONFLICT.15 (hit Enter)
Rmdir=/s=CONFLICT.16 (hit Enter)
Rmdir=/s=CONFLICT.17 (hit Enter)

NOTE* = signs should be replaced by a space

After you have entered all those close the command promp

Now you have just the Notepad file open and Killbox
In Killbox
Copy and paste each of the following lines into the "Full Path of File to Delete"
Click the RED X button that looks like the Stop sign
Keep track of any files that won't delete
You'll need those later

C:\WINDOWS\NDNuninstall6_22.exe

C:\WINDOWS\SSK_B5.EXE

C:\WINDOWS\woinstall.exe

C:\WINDOWS\System32\304390.exe

C:\WINDOWS\System32\311375.exe

C:\WINDOWS\System32\cp.exe

C:\WINDOWS\System32\dfe.exe

C:\WINDOWS\System32\eree.exe

C:\WINDOWS\System32\fgrr.exe

C:\WINDOWS\System32\htt.exe

C:\WINDOWS\System32\iwdwin.dll

C:\WINDOWS\System32\KVIF_7.dll

C:\WINDOWS\System32\mac80ex.idf

C:\WINDOWS\System32\mqexdlm.srg

C:\WINDOWS\System32\netut80ex.vxd

C:\WINDOWS\System32\SHAgentNew.dll

C:\WINDOWS\System32\WinSuck.dll

C:\WINDOWS\System32\Xcite2.exe

C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\014D63SJ\ysb_prompt[1].php

C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[1].htm

C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[2].htm

C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\ysb_prompt[1].php

C:\Documents and Settings\jordan\eree.exe

C:\Documents and Settings\jordan\ewhtt.exe

C:\Program Files\AIM\aim95.exe

C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll

C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE

C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

C:\Program Files\TopConverting\arkanoid\arkanoid.exe

C:\WINDOWS\Downloaded Program Files\CONFLICT.10\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.5\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.6\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.7\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.8\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.9\v3.dll

C:\WINDOWS\Downloaded Program Files\v3.dll

C:\WINDOWS\System32\ntqm.exe

C:\WINDOWS\System32\d3wq.exe

C:\WINDOWS\System32\msjy32.exe

C:\WINDOWS\System32\netxh32.exe

C:\WINDOWS\System32\ipxm32.exe

C:\WINDOWS\System32\kwxle.txt

C:\WINDOWS\System32\sdklk.exe

C:\WINDOWS\System32\d3wq.exe

C:\WINDOWS\System32\d3ea.exe

C:\WINDOWS\isrvs\ffisearch.exe

Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to Replace on Reboot
Also mark Use Dummy

Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\System32\brew.dll

C:\WINDOWS\BTGrab.dll

C:\WINDOWS\System32\dOnim.dll

C:\WINDOWS\System32\l06olaj31do.dll

C:\WINDOWS\System32\LMWND13n.DLL

C:\WINDOWS\System32\o884lilq18qe.dll

C:\WINDOWS\System32\s8pu0i79e8.dll

C:\WINDOWS\System32\tarmmgr.dll

C:\WINDOWS\System32\Xcite.dll

C:\WINDOWS\Downloaded Program Files\YSBactivex.dll

C:\WINDOWS\inst\3p1.exe

At this point copy and paste any file that wouldn't delete earlier with just the
Delete file button and use the
"Replace on Reboot"
"Use Dummy"
options

On the last path to file to delete is entered
Answer YES
And allow the system to Reboot
or use the option in the Taskmanager under Shutdown>>Restart

Please reboot into safe mode at this time

Look for these 2 files in the C:\Windows\System32 folder
02/01/2005 09:45 AM 413,696 r?gsvr32.exe <--this file
02/01/2005 09:42 AM 413,696 m?iexec.exe <--this file
They may contain the ? mark in them, if you see them delete them
Careful as they like too disguise as legitimate file
You can see if you right click on them and left click properties
There file size is about 413 kb and created on the date above

Find and delete these folders if they exist
C:\WINDOWS\isrvs <--this folder
C:\Program Files\AWS <--folder
C:\Program Files\MyWay <--folder
C:\Program Files\TopConverting <--folder

Take a look for any of those files killed with killbox manually and ensure they don't exist

Some of the files should of been removed by RubberDucky's About:Buster
If you still have it
Can you please run About:Buster again in safe mode
Let it scan twice>>Save the log afterwards

Open HOSTER and RESTORE ORIGNAL HOSTS

Double click on fix.reg and allow it to merge to the registry

Well your in safe mode can you open your Registry editor
just be careful and do just what I ask

Go to START>>RUN>>Type in regedit
Hit OK

Navigate to this entry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
Left click to Highlight ModuleUsage
Right click on it and Choose EXPORT
Name it and save it to MyDocuments folder
Exit the Registry

Temp files should of been deleted, but because you have Windows CleanUp! can you run it also in safe mode just to be safe

Restart back to Normal mode

Enable System Restore

At this time let's try another scan with the newer L2mfix>>>Can you redownload it please, don't use your old copy>>Here's the instructions again
Quote
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")
http://www.downloads.subratam.org/l2mfix.exe (http://\"http://www.downloads.subratam.org/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Hopefully one last time
Can you run another scan with Mwav scan from eSecan
and post another log

Also post back another Hijackthis log
Also include the About:Buster logs if you have them

Could you also go to the MyDocuments folder, find that entry you exported from the Registry
RIGHT CLICK on it and select EDIT
Copy and paste back here the contents, thanks
Title: SOS!
Post by: boogieonrw on February 12, 2005, 05:10:42 PM: all of the v3.dll's and the ffisearch.exe couldn't be found

also ysbactivex.dll

should i search for every one of the files we replaced or deleted?
Title: SOS!
Post by: Guest on February 12, 2005, 05:16:00 PM: It was just precautionary
If you wouldn't mind, but I would think they would all be gone

Just carry on, I'm stepping out for a bit, so I won't be able to answer these questions
I hope to see a better log when I get back , crossing my fingers

Well I got you here, Before restarting back to Normal mode could you try the fixes with hijackthis in Safe mode again, if your past that point, DON'T worry about it.........
Thanks

Don't worry if there back when you reboot to normal mode and don't restart your computer again when you get back to normal mode if you can help it /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Woops>>that was me boogie
~guestolo~
Title: SOS!
Post by: boogieonrw on February 12, 2005, 06:40:31 PM: hey, we seem to be still having a problem with the l2mfix

it isn't opening...if i have to restart my computer, what do i have to do?
Title: SOS!
Post by: guestolo on February 12, 2005, 10:09:40 PM: I keep removing these question and answer replies /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

If you had to reboot instead of ending process on it
I will need you to run Find.bat from Find It NT-2K-XP and post the log

I was hoping to see some logs boogieonrw /cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

Let me say this again boogieonrw, do what you can, post all the required logs if you can
Title: SOS!
Post by: boogieonrw on February 13, 2005, 04:03:50 PM: unfortunately not even find it is working,
the log files just never open...it freezes

i don't know if its a memory issue or what but it still pretends to be working, but isn't

i'll post hijackthis and the reg file after a quick restart
Title: SOS!
Post by: guestolo on February 13, 2005, 04:11:55 PM: Did you try redownloading it?
Did you give it time to finish, even if it appears to freeze?

We almost have you clean I believe, but let the scans finish
Don't give it a great amount of time but make sure it's not doing anything at all
Title: SOS!
Post by: boogieonrw on February 13, 2005, 05:08:19 PM: i did allow it a while.. i just redownloaded and will do it again

after it completes i will post all logs.... and in the mean time i will be keeping my fingers crossed,

being almost finished, that's awesome! almost a month later, but (slight exaggeration) still
Title: SOS!
Post by: boogieonrw on February 13, 2005, 08:18:06 PM: Logfile of HijackThis v1.99.0
Scan saved at 8:19:26 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
Title: SOS!
Post by: boogieonrw on February 13, 2005, 08:39:25 PM: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/asinst.dll]
".Owner"="{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}"
"{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/MediaTicketsInstaller.ocx]
".Owner"="{9EB320CE-BE1D-4304-A081-4B4665414BEF}"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.10/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.11/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.12/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.13/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.14/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.15/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.16/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.17/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.5/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.6/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.7/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.8/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.9/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx]
".Owner"="{9EB320CE-BE1D-4304-A081-4B4665414BEF}"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll]
".Owner"="Unknown Owner"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll]
".Owner"="Unknown Owner"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll]
".Owner"="Unknown Owner"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""
Title: SOS!
Post by: boogieonrw on February 13, 2005, 08:40:40 PM: Scanned at: 5:13:53 PM on: 2/12/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
Title: SOS!
Post by: boogieonrw on February 13, 2005, 08:45:51 PM: find it nt just isnt' working...i've left it for an hour or so a few times today and it just won't open a log

is this one we can do it safe mode?
Title: SOS!
Post by: boogieonrw on February 13, 2005, 08:49:57 PM: i'm doing an updated mwav scan right now

i had to restart every time i tried to use finditnt,

is there a problem with that? u said that i had to run that again since i had to restart the one other time, so where does that leave us?
Title: SOS!
Post by: boogieonrw on February 14, 2005, 02:04:40 PM: File C:\WINDOWS\System32\306203.exe infected by "Trojan.Win32.Zapchast" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\!Submit\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\!Submit\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\!Submit\aim95.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\!Submit\arkanoid.exe infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.
File C:\!Submit\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\!Submit\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\!Submit\ewhtt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\!Submit\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\!Submit\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\!Submit\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\!Submit\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\!Submit\js[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\!Submit\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\!Submit\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\!Submit\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\!Submit\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\!Submit\MY2NS.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\!Submit\MYBAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\!Submit\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\!Submit\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\!Submit\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\!Submit\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\!Submit\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\!Submit\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\!Submit\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\!Submit\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Application Data\Mozilla\Firefox\Profiles\s18mqwrz.default\Cache\35897D89d01 tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\jordan\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\jordan\Desktop\l2mfix.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\HJT\backups\backup-20050207-220637-306.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-433.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-968.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-313.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-432.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-918.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-143714-587.dll infected by "Trojan-Downloader.Win32.Agent.jm" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-143714-783.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-145922-986.dll infected by "Trojan-Downloader.Win32.Agent.jm" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-174.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-354.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-922.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050209-004902-169.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\FLPIUOBA.NQF infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\RMAD2MAA.NQF infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP1\A0000004.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\system32\306203.exe infected by "Trojan.Win32.Zapchast" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
Title: SOS!
Post by: boogieonrw on February 14, 2005, 02:05:54 PM: that's most everything besides the 2 command prompt text files that just won't work
Title: SOS!
Post by: guestolo on February 14, 2005, 04:21:37 PM: That Mwav scan from eScan's isn't as bad as it looks
But we have to get rid of the VX2 Infection and I believe a new trojan

Let's reenable some protection on your computer
Could you, right now....
I asked you to install SpywareBlaster earlier
Could you open the program and click the update button
And then check for updates
Let it download all updates and then Enable All protection

Once all protection is enabled it should read
Internet Explorer enabled
Restricted Sites enabled
Mozilla firefox enabled
Beside all of them it should read 0 items have protection disabled

Once that is done, SDHelper.dll may have been removed from an earlier infection
Part of Spybot 1.3
Could you download this Zip file
SDHelper13.zip (http://\"http://www.richardthelionhearted.com/~merijn/files/windows/sdhelper13.zip\")
Save the Zip file to your desktop and Unzip it to the folder Spybot is installed too
The default location is C:\Program Files\Spybot - Search & Destroy folder
After you have that done
Open Spybot >>> Don't run a scan yet
Click the Immunize button>>>OK>>>Immunize at the top
Well your there could you put a tick in
"Enable Permanent blocking of bad addresses in Internet Explorer"

We're going to remove some entries from the registry
Could you download this tool please
Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe (http://\"http://www.resplendence.com/download/reglite.exe\")
Install it, we'll need it shortly
Hold onto this tool, it's a great free registry editor

We'll try these small downloads to rid you of the VX2 infection
Could you also Download and save to Desktop DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")

Double click to run it and click the Run Locate.com

Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
Click the Make a Log of what was found button
Post back this log please

Next: Download and Save to desktop
VX2 Finder.exe (http://\"http://downloads.subratam.org/VX2Finder(126).exe\")
Double click to run it
Click the "Click to Find VX2.BetterInternet"
Let it complete the scan>>Again, won't take long
Make a log and post it back

Just want to check on one thing
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this on your Desktop

Quote
regedit /e Notify.reg "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"

Double click on Export.bat
It will produce a new file on the desktop call Notify.reg
Right click on Notify.reg and choose EDIT>>copy and paste that back here too, thanks
Again, try not too Restart your computer
We'll try some final fixes
Title: SOS!
Post by: boogieonrw on February 14, 2005, 05:51:00 PM: * DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\k644lg~1.dll Fri Feb 4 2005 1:45:12a ..S.R 229,736 224.35 K
________________________________________________

1,280 items found: 1,280 files (1 H/S), 0 directories.
Total of file sizes: 238,131,335 bytes 227.10 M

Administrator Account = True

--------------------End log---------------------
Title: SOS!
Post by: boogieonrw on February 14, 2005, 05:52:05 PM: Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---

Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown

User Agent String---
{D2AD9633-36F1-4338-AA11-469CA091B890}
Title: SOS!
Post by: boogieonrw on February 14, 2005, 05:56:03 PM: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
================================================

After Chat

EDITING to add in results
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe

=====================================================

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---

===================================================

Locking this thread up, Boogie, I'll talk to you on chat if you need any further assistance,
Take care /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />