Print Page - Back again for some much needed help

Hey all. I was clean for a while then all of a sudden started getting hardcore popups and spyware installations. I've done as much as I can with my knowledge to get clean, but am still have problems. Thanks for any help in advance. Curren Hijack is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 5:19:04 PM, on 2/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102294515357\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab (http://\"http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab\")
O20 - Winlogon Notify: AppPaths - C:\WINDOWS\system32\gp08l3du1.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
-------------------------------------

Thanks for the help!

Jeff

Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Nice to see you again Questolo. Again thanks for all the help. Log is as follows.

L2MFIX find log 1.02b
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AppPaths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp08l3du1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DC45C551-8FCD-4FC6-8C98-2EBF5D73F051}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{0A8CE102-FA03-4612-9BEE-7FE5452F4CB1}"="Search Bar"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{65CA231C-9968-4273-9649-8A0350F8AB33}"=""
"{ABD92293-CD9B-479C-973F-B502C51F5CCF}"=""
"{FEE23CF1-B4A4-4138-AC5B-FF91F88ED103}"=""
"{536F53AF-AF32-4E00-BB95-BEEB56DA8DF2}"=""
"{56626634-6087-4E16-9E08-3998AC5AFCB5}"=""
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL Included"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{65CA231C-9968-4273-9649-8A0350F8AB33}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65CA231C-9968-4273-9649-8A0350F8AB33}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65CA231C-9968-4273-9649-8A0350F8AB33}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{65CA231C-9968-4273-9649-8A0350F8AB33}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ABD92293-CD9B-479C-973F-B502C51F5CCF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABD92293-CD9B-479C-973F-B502C51F5CCF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABD92293-CD9B-479C-973F-B502C51F5CCF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ABD92293-CD9B-479C-973F-B502C51F5CCF}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FEE23CF1-B4A4-4138-AC5B-FF91F88ED103}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FEE23CF1-B4A4-4138-AC5B-FF91F88ED103}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FEE23CF1-B4A4-4138-AC5B-FF91F88ED103}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FEE23CF1-B4A4-4138-AC5B-FF91F88ED103}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{536F53AF-AF32-4E00-BB95-BEEB56DA8DF2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{536F53AF-AF32-4E00-BB95-BEEB56DA8DF2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{536F53AF-AF32-4E00-BB95-BEEB56DA8DF2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{536F53AF-AF32-4E00-BB95-BEEB56DA8DF2}\InprocServer32]
@="C:\\WINDOWS\\system32\\NHEVTMSG.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{56626634-6087-4E16-9E08-3998AC5AFCB5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56626634-6087-4E16-9E08-3998AC5AFCB5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56626634-6087-4E16-9E08-3998AC5AFCB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56626634-6087-4E16-9E08-3998AC5AFCB5}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
bhlfd.dll Tue Feb 22 2005 3:36:32a A.... 99,840 97.50 K
capicom.dll Tue Dec 14 2004 12:24:42p A.... 466,944 456.00 K
docore.dll Thu Feb 17 2005 9:42:38p A.... 151,552 148.00 K
dolsp.dll Thu Feb 17 2005 9:42:38p A.... 139,264 136.00 K
enpare.dll Fri Dec 31 2004 5:52:12a A.... 56 0.05 K
goldne~1.dll Wed Feb 16 2005 1:30:14p A.... 61,440 60.00 K
gp08l3~1.dll Sun Feb 20 2005 5:59:32p ..S.R 229,958 224.57 K
gtwmm.dll Sun Feb 20 2005 5:38:08p A.... 98,816 96.50 K
ic2_win.dll Thu Feb 10 2005 11:42:16p A.... 135,168 132.00 K
irjol5~1.dll Thu Feb 17 2005 11:27:08p ..S.R 229,736 224.35 K
mv88l9~1.dll Mon Feb 21 2005 5:44:24p ..S.R 231,666 226.23 K
nhevtmsg.dll Sun Feb 20 2005 5:48:22p A.... 231,666 226.23 K
pop5.dll Tue Dec 28 2004 2:25:26p A.... 53,760 52.50 K
qh4mkbv9.dll Thu Jan 27 2005 11:33:28a A.... 73,728 72.00 K
s32evnt1.dll Mon Dec 20 2004 6:58:18p A.... 83,664 81.70 K
sporder.dll Thu Feb 17 2005 9:42:36p A.... 8,464 8.27 K
sskden2.dll Fri Feb 18 2005 8:15:40a A.... 45,568 44.50 K

17 items found: 17 files (3 H/S), 0 directories.
Total of file sizes: 2,341,290 bytes 2.23 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Feb 22 2005 7:54:26p ..... 229,958 224.57 K

1 item found: 1 file, 0 directories.
Total of file sizes: 229,958 bytes 224.57 K
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 688C-1C22

Directory of C:\WINDOWS\System32

02/22/2005 07:31 AM <DIR> DLLCACHE
02/21/2005 05:44 PM 231,666 mv88l9lu1.dll
02/20/2005 05:59 PM 229,958 gp08l3du1.dll
02/17/2005 11:27 PM 229,736 irjol5131.dll
12/22/2004 01:21 PM 389,120 l?ass.exe
4 File(s) 1,080,480 bytes
1 Dir(s) 23,068,848,128 bytes free
------------------------------

Thanks.

Jeff

I wish we were talking on better terms

/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]

Heres the log from the program you had me run:

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    Everyone
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'
Killing PID 1616 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\irjol5131.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mv88l9lu1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\NHEVTMSG.DLL
1 file(s) copied.
deleting: C:\WINDOWS\system32\irjol5131.dll
Successfully Deleted: C:\WINDOWS\system32\irjol5131.dll
deleting: C:\WINDOWS\system32\mv88l9lu1.dll
Successfully Deleted: C:\WINDOWS\system32\mv88l9lu1.dll
deleting: C:\WINDOWS\system32\NHEVTMSG.DLL
Successfully Deleted: C:\WINDOWS\system32\NHEVTMSG.DLL

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: irjol5131.dll (164 bytes security) (deflated 5%)
adding: mv88l9lu1.dll (164 bytes security) (deflated 5%)
adding: NHEVTMSG.DLL (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 56%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 84%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 46%)
adding: test2.txt (164 bytes security) (deflated 36%)
adding: test3.txt (164 bytes security) (deflated 36%)
adding: test5.txt (164 bytes security) (deflated 36%)
adding: xfind.txt (164 bytes security) (deflated 39%)
adding: backregs/536F53AF-AF32-4E00-BB95-BEEB56DA8DF2.reg (164 bytes security) (deflated 70%)
adding: backregs/56626634-6087-4E16-9E08-3998AC5AFCB5.reg (164 bytes security) (deflated 70%)
adding: backregs/65CA231C-9968-4273-9649-8A0350F8AB33.reg (164 bytes security) (deflated 70%)
adding: backregs/ABD92293-CD9B-479C-973F-B502C51F5CCF.reg (164 bytes security) (deflated 70%)
adding: backregs/FEE23CF1-B4A4-4138-AC5B-FF91F88ED103.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Read     BUILTIN\Power Users
(ID-IO) ALLOW Read     BUILTIN\Power Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: irjol5131.dll
deleting local copy: mv88l9lu1.dll
deleting local copy: NHEVTMSG.DLL

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\irjol5131.dll
C:\WINDOWS\system32\mv88l9lu1.dll
C:\WINDOWS\system32\NHEVTMSG.DLL

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{65CA231C-9968-4273-9649-8A0350F8AB33}"=-
"{ABD92293-CD9B-479C-973F-B502C51F5CCF}"=-
"{FEE23CF1-B4A4-4138-AC5B-FF91F88ED103}"=-
"{536F53AF-AF32-4E00-BB95-BEEB56DA8DF2}"=-
"{56626634-6087-4E16-9E08-3998AC5AFCB5}"=-
[-HKEY_CLASSES_ROOT\CLSID\{65CA231C-9968-4273-9649-8A0350F8AB33}]
[-HKEY_CLASSES_ROOT\CLSID\{ABD92293-CD9B-479C-973F-B502C51F5CCF}]
[-HKEY_CLASSES_ROOT\CLSID\{FEE23CF1-B4A4-4138-AC5B-FF91F88ED103}]
[-HKEY_CLASSES_ROOT\CLSID\{536F53AF-AF32-4E00-BB95-BEEB56DA8DF2}]
[-HKEY_CLASSES_ROOT\CLSID\{56626634-6087-4E16-9E08-3998AC5AFCB5}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DC45C551-8FCD-4FC6-8C98-2EBF5D73F051}"=-
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{DC45C551-8FCD-4FC6-8C98-2EBF5D73F051}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

And the new Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 12:01:01 AM, on 2/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\system\cafhht.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\I386\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102294515357\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab (http://\"http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe (http://\"http://www.alwaysupdatednews.com/install/aun_0010.exe\")
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
-------------------------------------

Just so you know, I have Norton installed an running. It continually pops up saying it has detected and automatically deleted a Download.Trojan. The files names are usually "28[1).bin" and "shopinst.exe". Though it says the files are deleted it will pop up after about 40 seconds giving the same message. It seems the file is continually reinstalling itself and Norton keeps detecting it. Any idea whats up with that? I'm assuming through cleaning everything else it will cease to happen, but I figured I'd let you know. I'm headed to bed for the night so I probably wont reply until tomorrow. Thanks for all of your help!

Jeff

I don't have much time to look over your log right now, but could you for now

Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe

O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe (http://\"http://www.alwaysupdatednews.com/install/aun_0010.exe\") <--if you don't remember purposely installing this one, fix it, if needed it will be reinstalled with no problems

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer into safe mode

Find and delete this file
C:\WINDOWS\System32\winupdt.exe <--this file
C:\WINDOWS\system\cafhht.exe <--this file

Restart back to Normal mode

Let me know if you get any errors on startup or sounds from the comp....
I was also suspecting Narrator and have another tool for that, but
Could you also
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract
You may have to temporarily disable Norton's

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back a fresh hijackthis log afterwards too

Well....found 1917 files. I'm gonna say thats a bad thing. Haha wow. I attempted to post the entire log but it would be way to long. I realize many of the files found were from the Quarantine folder of Norton. I chose to omit those from these posts. Let me know if you need the full thing:

File C:\WINDOWS\SYSTEM32\srchbar.dll infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\DictComp3s.exe infected by "Trojan.Win32.VB.sx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dlmax.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\farmmext.exe.tcf infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\farmmext.exe5606.tcf infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Helper101.dll infected by "Trojan-Clicker.Win32.Delf.r" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\jzqzipqlw.exe infected by "Trojan-Downloader.Win32.Envolo.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msgcenter_lminv1.exe.tcf infected by "Trojan-Downloader.Win32.Lalus" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\u6f6uftuc.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\abasa5jrp.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\adktsfxc.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Agent.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\appsys.exe.tcf infected by "Trojan-Downloader.Win32.Delf.ck" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bhlfd.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bhlfdc.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bhlfdd.exe infected by "not-a-virus:AdWare.Adstart.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\bhlfdf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\biH.exe infected by "not-a-virus:AdWare.BiSpy.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cdlsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ctbv2.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\docore.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dolsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dsktrf.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dun.exe infected by "not-a-virus:AdWare.DealHelper.x" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Eaqdwv.exe infected by "not-a-virus:AdWare.DealHelper.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eliteezi32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\elitegva32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\elitetnf32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eliteusc32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\elitexah32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ezStub.exe infected by "not-a-virus:AdWare.EZula.ao" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\goldnew2b.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gtwmm.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gtwmmc.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gtwmmd.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gtwmmf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hochkaod3.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\HyperLinker.exe infected by "not-a-virus:AdWare.Suggestor.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ic2_win.dll infected by "not-a-virus:AdWare.ToolBar.Ilookup.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\installer_im.dll infected by "Trojan-Dropper.Win32.Delf.av" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Ktvunu.exe infected by "not-a-virus:AdWare.DealHelper.x" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVI_111.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lkir8l2gm.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Mfyqrr.exe infected by "not-a-virus:AdWare.DealHelper.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msnavc32.exe infected by "Trojan-Downloader.Win32.Agent.dz" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nostalgia.dll infected by "not-a-virus:AdWare.BiSpy.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nvrtml.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\pop5.dll infected by "Trojan-Dropper.Win32.Miewer.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\q17i9a4j.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Rtdx116.dat infected by "Backdoor.Win32.Padodor.ao" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Rtdx117.dat infected by "Backdoor.Win32.Padodor.ao" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Rtdx118.dat infected by "Backdoor.Win32.Easydor.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ruvimc.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ruvimd.exe infected by "not-a-virus:AdWare.Adstart.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ruvimf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SahHtml.exe infected by "not-a-virus:AdWare.Sahat.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sqdrq.dll infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sqdrqd.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sqdrqf.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sskden2.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SWRT01.dll infected by "not-a-virus:AdWare.VirtualBouncer.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sysmonnt.exe infected by "Backdoor.Win32.VB.aat" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Ugumgu.exe infected by "not-a-virus:AdWare.DealHelper.x" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\unregister.exe infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\windcck32.exe infected by "not-a-virus:AdWare.ZenoSearch.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Zropal.exe infected by "not-a-virus:AdWare.DealHelper.x" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\banner.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\DrTemp\thnall1b.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\DrTemp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\GLF3C3GLF3C3.EXE infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI137C.tmp\dlmax.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI137C.tmp\dlmax.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI1F15.tmp\dlmax.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI1F15.tmp\dlmax.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI360F.tmp\dlmax.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI360F.tmp\dlmax.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI40CC.tmp\farmmext.cab infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI40CC.tmp\farmmext.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI4121.tmp\farmmext.cab infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\THI4121.tmp\farmmext.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\tsinstall_4_0_3_8_b17.exe infected by "Trojan-Downloader.Win32.TSUpdate.j" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\ts_8_new.exe infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\04Z3159J\replaceSearch[1].dll infected by "not-a-virus:AdWare.ReSearch.a" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6VAFITE7\eZinstall[1].exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6VAFITE7\thnall1b[1].exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\6XCBQXEX\thnall2c[1].exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\8HSR4VOR\ts_8_new[1].exe infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\C7YJ8LIB\aun_0010[1].exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\C7YJ8LIB\ezStub[1].exe infected by "not-a-virus:AdWare.EZula.ao" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\GDQNCT2N\62[1].bin infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\GDQNCT2N\aun_0018[1].exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\GDQNCT2N\dsktrf[1].dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\K5O1UZKL\stats4[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\YUWF8YI0\STATS4[1].CHM infected by "Trojan-Downloader.JS.Psyme.n" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\YUWF8YI0\SYSsfitb[1].dll infected by "not-a-virus:AdWare.ToolBar.SearchIt.d" Virus. Action Taken: No Action Taken.
File C:\!Submit\adktsfxc.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\!Submit\prutqct.exe infected by "Trojan-Spy.Win32.VB.eh" Virus. Action Taken: No Action Taken.
File C:\!Submit\winupdt.exe infected by "Trojan-Downloader.Win32.Agent.jq" Virus. Action Taken: No Action Taken.
File C:\Bit Torrent [censored]\VirtualDub 1.5.1.1a MPEG AC3.rar infected by "Trojan-Dropper.Win32.Delf.dh" Virus. Action Taken: No Action Taken.
File C:\Bit Torrent [censored]\VirtualDub 1.5.4 P4 Optimized.rar infected by "Trojan-Dropper.Win32.Delf.dh" Virus. Action Taken: No Action Taken.
File C:\counter.cab infected by "Trojan-Dropper.Win32.Small.ls" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comp02.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer9.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy3.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ymkava2t.default\Cache\35897D89d01 tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\Owner\Desktop\l2mfix.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\banner.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\DrTemp\thnall1b.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\DrTemp\thnall2c.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\GLF3C3GLF3C3.EXE infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI137C.tmp\dlmax.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI137C.tmp\dlmax.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI1F15.tmp\dlmax.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI1F15.tmp\dlmax.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI360F.tmp\dlmax.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI360F.tmp\dlmax.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI40CC.tmp\farmmext.cab infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI40CC.tmp\farmmext.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI4121.tmp\farmmext.cab infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI4121.tmp\farmmext.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_3_8_b17.exe infected by "Trojan-Downloader.Win32.TSUpdate.j" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\ts_8_new.exe infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\04Z3159J\replaceSearch[1].dll infected by "not-a-virus:AdWare.ReSearch.a" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6VAFITE7\eZinstall[1].exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6VAFITE7\thnall1b[1].exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6XCBQXEX\thnall2c[1].exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8HSR4VOR\ts_8_new[1].exe infected by "Trojan-Downloader.Win32.TSUpdate.f" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C7YJ8LIB\aun_0010[1].exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C7YJ8LIB\ezStub[1].exe infected by "not-a-virus:AdWare.EZula.ao" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GDQNCT2N\62[1].bin infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GDQNCT2N\aun_0018[1].exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GDQNCT2N\dsktrf[1].dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K5O1UZKL\stats4[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YUWF8YI0\STATS4[1].CHM infected by "Trojan-Downloader.JS.Psyme.n" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YUWF8YI0\SYSsfitb[1].dll infected by "not-a-virus:AdWare.ToolBar.SearchIt.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\mspass.exe tagged as not-a-virus:RiskWare.PSWTool.Win32.Messen.102. No Action Taken.
File C:\Program Files\America Online 9.0\backup\restore\comp02.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\Java\Update\Base Images\jdk1.5.0.b64\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050101-192029-360.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050217-230953-940.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050220-175426-440.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050222-071806-180.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050222-071806-407.dll infected by "not-a-virus:AdWare.ToolBar.BHO.l" Virus. Action Taken: No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050222-171231-460.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050222-171231-970.dll infected by "not-a-virus:AdWare.ToolBar.BHO.l" Virus. Action Taken: No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050223-161551-366.dll infected by "not-a-virus:AdWare.ReSearch.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Java\jdk1.5.0\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\Java\jdk1.5.0\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Programs\mirc616.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Programs\mspass.exe tagged as not-a-virus:RiskWare.PSWTool.Win32.Messen.102. No Action Taken.
File C:\Programs\mspass.zip tagged as not-a-virus:RiskWare.PSWTool.Win32.Messen.102. No Action Taken.
File C:\Programs\new_uninstall.exe infected by "Trojan-Downloader.Win32.Swizzor.ck" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00186249.EXE infected by "Trojan-Downloader.Win32.Swizzor.bj" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-2703944788-4269483969-3991436212-1003\Dc84.html infected by "Trojan-Clicker.JS.Linker.g" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-2703944788-4269483969-3991436212-1003\Dc90.dll infected by "not-a-virus:AdWare.ToolBar.BHO.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP100\A0017742.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0017747.dll.tcf infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0017749.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0017750.dll.tcf infected by "not-a-virus:AdWare.EZula.x" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0017752.dll.tcf infected by "not-a-virus:AdWare.EZula.ab" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018898.exe infected by "Trojan-Downloader.Win32.Wintool.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018899.exe infected by "Trojan-Downloader.Win32.Small.aco" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018900.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018902.exe infected by "not-a-virus:AdWare.VirtualBouncer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018903.exe infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018904.exe infected by "not-a-virus:AdWare.EZula.ah" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018905.exe infected by "Trojan-Dropper.Win32.Small.kz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018907.exe infected by "not-a-virus:AdWare.ToolBar.MyWay.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018941.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018942.exe.tcf infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018956.exe.tcf infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018957.exe.tcf infected by "Trojan-Downloader.Win32.Lalus" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018958.exe.tcf infected by "Trojan-Dropper.Win32.Delf.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018959.exe.tcf infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018960.exe.tcf infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP101\A0018961.exe.tcf infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP102\A0018967.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP102\A0018969.exe infected by "not-a-virus:AdWare.Apropos.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP102\A0018971.exe infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP102\A0018972.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP104\A0019000.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP104\A0019002.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP104\A0019008.exe infected by "Trojan-Downloader.Win32.Agent.hw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP104\A0019011.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP105\A0019018.dll infected by "Trojan-Dropper.Win32.Miewer.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP105\A0019019.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP105\A0019022.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP105\A0019028.exe infected by "Trojan-Downloader.Win32.Agent.hw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019044.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019046.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019047.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019048.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019049.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019050.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019051.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019052.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019053.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019054.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019055.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019056.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019057.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019058.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019060.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019068.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019069.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019076.exe infected by "Trojan-Spy.Win32.VB.eh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019078.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019079.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019080.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019081.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019082.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019083.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019084.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019085.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019086.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019087.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019088.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019090.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019091.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019092.exe infected by "Trojan-Downloader.Win32.Small.afq" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019093.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019095.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019096.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019097.exe infected by "Trojan-Downloader.Win32.Apropo.r" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019098.exe infected by "Trojan-Downloader.Win32.Envolo.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019099.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019100.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019101.exe infected by "Trojan-Downloader.Win32.Agent.hw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019102.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019103.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019104.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019105.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019106.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019107.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019108.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019109.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019110.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019112.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019113.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019114.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019116.exe infected by "Trojan-Downloader.Win32.Envolo.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019117.dll infected by "not-a-virus:AdWare.ToolBar.BHO.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019120.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019122.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019127.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019128.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019129.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019130.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019131.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019135.dll infected by "Trojan-Dropper.Win32.Miewer.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019141.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019142.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019143.exe infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019144.dll infected by "Trojan-Downloader.Win32.Qoologic.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019145.exe infected by "not-a-virus:AdWare.Apropos.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019147.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019159.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019162.dll infected by "not-a-virus:AdWare.ToolBar.BHO.l" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019163.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019167.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019182.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019183.dll infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP106\A0019184.ocx infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019193.exe infected by "not-a-virus:AdWare.Cres" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019196.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019198.dll.tcf infected by "not-a-virus:AdWare.EZula.x" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019200.dll.tcf infected by "not-a-virus:AdWare.EZula.ab" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019206.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019208.exe.tcf infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019210.exe infected by "Trojan-Downloader.Win32.Small.aco" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019211.exe infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019212.exe infected by "not-a-virus:AdWare.EZula.ah" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019213.exe infected by "Trojan-Downloader.Win32.Agent.hw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019214.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019222.dll.tcf infected by "not-a-virus:AdWare.EZula.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019229.exe infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019232.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019242.dll infected by "not-a-virus:AdWare.Suggestor.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019243.exe infected by "not-a-virus:AdWare.Suggestor.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP107\A0019247.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019272.exe infected by "Trojan-Downloader.Win32.Small.wj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019304.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019305.exe infected by "Trojan-Downloader.Win32.Agent.hw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019306.exe infected by "Trojan-Downloader.Win32.Envolo.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019307.exe infected by "Trojan-Downloader.Win32.Apropo.r" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019308.exe infected by "Trojan-Downloader.Win32.Small.afq" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019310.exe infected by "Trojan-Spy.Win32.VB.eh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019311.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019312.dll infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019313.ocx infected by "not-a-virus:AdWare.DelphinMediaViewer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019314.exe infected by "Trojan-Downloader.Win32.Small.aco" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019316.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019317.exe infected by "Backdoor.Win32.VB.aat" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019319.dll infected by "Trojan-Clicker.Win32.Delf.r" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019320.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019325.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019327.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019369.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019370.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP108\A0019373.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019421.exe infected by "Trojan-Downloader.Win32.Small.aco" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019424.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019437.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019438.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019440.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019442.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019443.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019448.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019456.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019464.exe infected by "Trojan-Downloader.Win32.Agent.jq" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019468.exe infected by "Trojan-Downloader.Win32.TSUpdate.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019476.dll infected by "not-a-virus:AdWare.EZula.ab" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019478.exe infected by "not-a-virus:AdWare.EZula.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019480.dll infected by "not-a-virus:AdWare.EZula.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019488.dll infected by "not-a-virus:AdWare.ToolBar.SearchIt.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019489.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019490.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP109\A0019505.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP25\A0008640.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0001118.exe.tcf infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0001179.dll.tcf infected by "not-a-virus:AdWare.ToolBar.SideFind" Virus. Action Taken: No Action Taken.
File C:&

File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0001179.dll.tcf infected by "not-a-virus:AdWare.ToolBar.SideFind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0001180.dll.tcf infected by "not-a-virus:AdWare.ToolBar.SideFind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0001181.exe.tcf infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0001182.exe.tcf infected by "not-a-virus:AdWare.WebRebates.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0001184.exe.tcf infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0002264.dll.tcf infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0002266.exe infected by "not-a-virus:AdWare.Sahat.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP40\A0009759.exe infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP40\A0009760.dll infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP40\A0009762.exe infected by "Trojan-Downloader.Win32.Qoologic.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP40\A0009763.exe infected by "Trojan-Downloader.Win32.Qoologic.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP44\A0010317.vxd infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP45\A0010435.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP46\A0010442.exe infected by "not-a-virus:AdWare.ShopAtHome.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP46\A0010458.exe.tcf infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP48\A0010485.exe infected by "not-a-virus:AdWare.WebRebates.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP48\A0010486.exe.tcf infected by "not-a-virus:AdWare.WebRebates.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP48\A0010487.exe.tcf infected by "not-a-virus:AdWare.WebRebates.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP48\A0010531.exe infected by "not-a-virus:AdWare.TotalVelocity.aa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP48\A0010532.dll infected by "not-a-virus:AdWare.SurfSide.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP48\A0010533.dll infected by "not-a-virus:AdWare.TotalVelocity.aa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP48\A0010538.EXE infected by "Trojan-Downloader.Win32.Small.wk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP48\A0010540.dll.tcf infected by "not-a-virus:AdWare.F1Organizer.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP49\A0010554.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP49\A0010564.dll infected by "not-a-virus:AdWare.WebSpecial.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP5\A0002341.exe infected by "Trojan-Downloader.Win32.Swizzor.ck" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP51\A0011760.exe infected by "not-a-virus:AdWare.Sahat.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013291.exe infected by "not-a-virus:AdWare.Sahat.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013292.exe.tcf infected by "not-a-virus:AdWare.F1Organizer.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013293.exe infected by "Trojan-Downloader.Win32.IstBar.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013294.exe infected by "Trojan-Downloader.Win32.IstBar.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013295.exe infected by "Trojan-Downloader.Win32.IstBar.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013296.exe infected by "Trojan-Downloader.Win32.IstBar.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013297.exe infected by "not-a-virus:AdWare.PurityScan.w" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013298.exe infected by "Trojan-Downloader.Win32.IstBar.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013299.exe infected by "Trojan-Downloader.Win32.IstBar.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013300.exe infected by "Trojan-Downloader.Win32.IstBar.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP52\A0013301.exe infected by "Trojan-Downloader.Win32.IstBar.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002644.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002675.exe.tcf infected by "Trojan-Downloader.Win32.Asune.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002676.exe infected by "Trojan-Downloader.Win32.Donn.aa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002677.exe infected by "Trojan-Proxy.Win32.Webber.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002679.exe.tcf infected by "Trojan-Downloader.Win32.Small.us" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002684.exe infected by "Trojan.Win32.Zapchast" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002712.dll.tcf infected by "Trojan-Downloader.Win32.IstBar.gh" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002713.exe.tcf infected by "Trojan-Downloader.Win32.Delf.ck" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP6\A0002715.dll infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP61\A0013564.exe infected by "Trojan-Dropper.Win32.Delf.fd" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP62\A0013581.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP62\A0013582.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP62\A0013583.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP62\A0013584.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP62\A0013585.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP62\A0013586.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP62\A0013587.exe infected by "Backdoor.Win32.Agent.bg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP62\A0013589.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP9\A0003109.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP9\A0003110.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP9\A0003111.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP9\A0003112.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP9\A0003113.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP9\A0003115.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP94\A0014778.dll infected by "Trojan.Win32.Revop.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP98\A0017702.exe infected by "Trojan-Clicker.JS.Linker.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP98\A0017703.reg infected by "Trojan.WinREG.LowZones.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP98\A0017704.reg infected by "Trojan.WinREG.LowZones.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP98\A0017705.bat infected by "Trojan.WinREG.LowZones.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP98\A0017706.exe infected by "Backdoor.Win32.Spyboter.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\DictComp3s.exe infected by "Trojan.Win32.VB.sx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dlmax.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe infected by "not-a-virus:AdWare.ShopAtHome.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\SahHtml_.exe infected by "not-a-virus:AdWare.Sahat.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\webdlg32.dll infected by "not-a-virus:AdWare.ToolBar.SBSoft.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\farmmext.exe.tcf infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\farmmext.exe5606.tcf infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Helper101.dll infected by "Trojan-Clicker.Win32.Delf.r" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\jzqzipqlw.exe infected by "Trojan-Downloader.Win32.Envolo.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msgcenter_lminv1.exe.tcf infected by "Trojan-Downloader.Win32.Lalus" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\UpdInstall.exe infected by "not-a-virus:AdWare.Look2Me.r" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\abasa5jrp.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\adktsfxc.exe infected by "BkCln.Unknown" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Agent.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\appsys.exe.tcf infected by "Trojan-Downloader.Win32.Delf.ck" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\bhlfd.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\bhlfdc.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\bhlfdd.exe infected by "not-a-virus:AdWare.Adstart.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\bhlfdf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\biH.exe infected by "not-a-virus:AdWare.BiSpy.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Cache\em_d.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\cdlsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ctbv2.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\docore.dll infected by "not-a-virus:AdWare.Couponage.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dolsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dsktrf.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dun.exe infected by "not-a-virus:AdWare.DealHelper.x" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Eaqdwv.exe infected by "not-a-virus:AdWare.DealHelper.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\eliteezi32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\elitegva32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\elitetnf32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\eliteusc32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\elitexah32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ezStub.exe infected by "not-a-virus:AdWare.EZula.ao" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\goldnew2b.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\gtwmm.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\gtwmmc.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\gtwmmd.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\gtwmmf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\hochkaod3.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\HyperLinker.exe infected by "not-a-virus:AdWare.Suggestor.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ic2_win.dll infected by "not-a-virus:AdWare.ToolBar.Ilookup.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\installer_im.dll infected by "Trojan-Dropper.Win32.Delf.av" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Ktvunu.exe infected by "not-a-virus:AdWare.DealHelper.x" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\KVI_111.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\lkir8l2gm.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Mfyqrr.exe infected by "not-a-virus:AdWare.DealHelper.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msnavc32.exe infected by "Trojan-Downloader.Win32.Agent.dz" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\netut80ex.vxd infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\nostalgia.dll infected by "not-a-virus:AdWare.BiSpy.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\nvrtml.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\pop5.dll infected by "Trojan-Dropper.Win32.Miewer.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\q17i9a4j.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Rtdx116.dat infected by "Backdoor.Win32.Padodor.ao" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Rtdx117.dat infected by "Backdoor.Win32.Padodor.ao" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Rtdx118.dat infected by "Backdoor.Win32.Easydor.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ruvimc.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ruvimd.exe infected by "not-a-virus:AdWare.Adstart.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ruvimf.exe infected by "not-a-virus:AdWare.Adstart.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\SahHtml.exe infected by "not-a-virus:AdWare.Sahat.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\sqdrq.dll infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\sqdrqd.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\sqdrqf.exe infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\sskden2.dll infected by "Trojan-Dropper.Win32.Miewer.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\SWRT01.dll infected by "not-a-virus:AdWare.VirtualBouncer.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\sysmonnt.exe infected by "Backdoor.Win32.VB.aat" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Ugumgu.exe infected by "not-a-virus:AdWare.DealHelper.x" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\unregister.exe infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\windcck32.exe infected by "not-a-virus:AdWare.ZenoSearch.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Zropal.exe infected by "not-a-virus:AdWare.DealHelper.x" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp\tmp24B.tmp infected by "BkCln.Unknown" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\u6f6uftuc.exe infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File F:\Muffins\SPXIRC.zip tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
--------------------------------------

There is the full log without Norton Quarantined included. Here is the current Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 9:12:01 PM, on 2/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\sfita.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Owner\LOCALS~1\Temp\kavss.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\System32\EZPOPS~1.EXE
O4 - Global Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102294515357\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab (http://\"http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab\")
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Seems like there is some stuff from there which can be deleted. On startup nothing looked too out of the ordinary, except for immediatly upon startup a "Windows Installer" started, which I cancelled. This usually only seems to happen when spyware is being installed, but I guess I could be wrong. Thanks for all the help. Sorry about the excessive posts. Thanks!

Jeff

Hold up for a second, this list is way too long, I don't want to see it all right now
We're going to have to try something else

Wow!!!
we have to make this list a lot smaller

Enter your Control Panel, Open the Java Icon
Clear the Cache or Delete Files

Next, go into Hijackthis, all versions you may have and delete All the backups that have been made

Any files that look like this
============================================
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\25FC1514.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
============================================
Norton's in the Quarantine
List>>There not doing no harm, but are not needed
This is optional, but they shouldn't do no harm removing them
May have to be done in safe mode

Any of these files
File C:\WINDOWS\SYSTEM32\srchbar.dll infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\DictComp3s.exe infected by "Trojan.Win32.VB.sx" Virus. Action Taken: No Action Taken.

And so on........

You get the idea, you should boot into safe mode and delete them if you can

Any of these files
=======================================================
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\04Z3159J\replaceSearch[1].dll infected by "not-a-virus:AdWare.ReSearch.a" Virus. Action Taken: No Action Taken.
==================================================

Are in your Temp folders, don't try and remove them manually
I can't remember if I had you download Windows CleanUp! before
If not do it now
Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now but Don't run a scan yet

Any of these files
=================================================
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy3.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
=================================================
Are in Spybots backups
Open Spybot>>Click on Recovery and PURGE(Remove) all items that are found

All items tagged as RISK WARE leave alone for now,

Ones that look like this
==============================================
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP9\A0003110.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
=====================================================

Are in your System Restore folders, you will have to disable system restore and then restart your computer and then enable system restore

So this is what we should do

If you already have Windows CleanUp installed, good, if not get it, that will save you time from manually deleting your temp files

If your confident about the work that is set out for you
go and Disable System Restore right now

Do another scan with Hijackthis and fix these entries, remember this has to be with all other windows closed
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\Ceres.dll

O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\System32\EZPOPS~1.EXE

Make sure you have the whole list to a Notepad file

Restart your computer into safe mode
If you can, remove the backups in Norton's Quarantine list>>If unneeded...
Empty the contents of Nortons protected recycle bin if you can

Manually track down all the files and remove them>>Many listed will be duplicates
So you will only need to remove them once
Ones your unsure about you can leave alone for now if your unsure

Run Windows CleanUp
START>>All Programs>>CleanUp
Click on the CleanUp button
Let it finish scanning for files and then Restart your computer into Normal mode

Reenable System Restore

I still noticed Trojan Guard on your computer, is this still the Trial Version of Trojan Hunter?????
If it is shut down Trojan Guard by the clock or possibly in the Task Manager<<Ensure you do this
Then Uninstall it

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

If your unsure how to update it follow the instructions from this link
http://tds.diamondcs.com.au/index.php?page=update (http://\"http://tds.diamondcs.com.au/index.php?page=update\")
Follow the Manual update procedure
Again, don't run a scan yet

Print this out or save to a Notepad file for easy access

Restart into Safe mode without Network connection
You can do this by tapping the F8 key as The system is booting up

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

Restart back to Normal mode

Post back a fresh Hijackthis log and the Scandump.txt

A little work to do, but I'm sure you can handle it.....

Hey, sorry I've been super busy today. I did some of it, but not enough to post back. Just letting you know where I'm at. Should be able to post back late tomorrow night. Thanks so much!

Jeff

Here is TDS log:

Scan Control Dumped @ 21:31:57 26-02-05
Positive identification: TrojanDownloader.Win32.Agent.jq
File: c:\!submit\winupdt.exe

Suspicious Filename: Dual extensions
File: c:\programs\bittorrent-3.4.1.exe

Suspicious Filename: Dual extensions
File: c:\programs\bittorrent-3.4.2.exe

Suspicious Filename: Dual extensions
File: c:\programs\firefox setup 1.0pr.exe

Positive identification: TrojanDownloader.Win32.Swizzor.ck1
File: c:\programs\new_uninstall.exe

Positive identification: TrojanDownloader.Win32.Stubby.c
File: c:\windows\farmmext.exe.tcf

Positive identification: Adware.ShopAtHome.b
File: c:\windows\downloaded program files\sahagent_.exe

Positive identification (embedded in file): Adware.Look2Me.r1 (dll)
File: c:\windows\system\updinstall.exe

Positive identification (embedded in file): Adware.Look2Me.r2 (dll)
File: c:\windows\system\updinstall.exe

Positive identification: Adware.Look2Me.r
File: c:\windows\system\updinstall.exe

Positive identification (DLL): Adware.Netpal (dll)
File: c:\windows\system32\freeze.dll

Positive identification: Adware.Beginto.a
File: c:\windows\system32\reg6523.exe

Positive identification (DLL): Adware.ToolBar.VB.f (dll)
File: c:\windows\system32\srchbar.dll
----------------------

And Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 9:42:36 PM, on 2/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\I386\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102294515357\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab (http://\"http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab\")
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Dont mean to be curt. Just in a hurry. Thanks for your help!

Jeff

Do another scan with Hijackthis and check this entry

O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll

Fix checked with All other window closed down

Restart your computer
Back in Windows

Make sure this file is gone
C:\WINDOWS\dlmax.dll
and this one
C:\WINDOWS\sfita.exe
Also make sure that none of the ones found bad with TDS-3 exist anymore

Open Hijackthis>>Open Misc tools sections>>Open Hosts file manager
Any entries below
127.0.0.1 localhost <---don't delete this line, only anything below it
that you don't recognize can you delete them please
If unsure "Open In notepad" post the log back here

Could you delete your copy of MWav scan from eScan and redownload it from the link I posted above and run another scan
Post the log from it, don't include entries in Nortons Quarantine list

Also include a fresh hijackthis log

Here is the MicroWorld scan log, a tad smaller this time

/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />:

File C:\WINDOWS\System32\adktsfxc.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sqdrq.dll infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File C:\Bit Torrent [censored]\VirtualDub 1.5.1.1a MPEG AC3.rar infected by "Trojan-Dropper.Win32.Delf.dh" Virus. Action Taken: No Action Taken.
File C:\Bit Torrent [censored]\VirtualDub 1.5.4 P4 Optimized.rar infected by "Trojan-Dropper.Win32.Delf.dh" Virus. Action Taken: No Action Taken.
File C:\counter.cab infected by "Trojan-Dropper.Win32.Small.ls" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\lpaolcom_setupSTUS\comp02.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Owner\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\Owner\Desktop\l2mfix.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Program Files\AIM\mspass.exe tagged as not-a-virus:RiskWare.PSWTool.Win32.Messen.102. No Action Taken.
File C:\Program Files\America Online 9.0\backup\restore\comp02.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\Java\Update\Base Images\jdk1.5.0.b64\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\Hijack This\backups\backup-20050227-183851-827.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\Program Files\Java\jdk1.5.0\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\Java\jdk1.5.0\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Programs\mirc616.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Programs\mspass.exe tagged as not-a-virus:RiskWare.PSWTool.Win32.Messen.102. No Action Taken.
File C:\Programs\mspass.zip tagged as not-a-virus:RiskWare.PSWTool.Win32.Messen.102. No Action Taken.
File C:\RECYCLER\NPROTECT\00186249.EXE infected by "Trojan-Downloader.Win32.Swizzor.bj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0001011.exe infected by "not-a-virus:AdWare.Look2Me.r" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0001014.dll infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0001015.exe infected by "Trojan-Downloader.Win32.Swizzor.ck" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0001016.exe infected by "Trojan-Downloader.Win32.Agent.jq" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0001031.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\SahHtml_.exe infected by "not-a-virus:AdWare.Sahat.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\adktsfxc.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Cache\em_d.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\sqdrq.dll infected by "not-a-virus:AdWare.Adstart.b" Virus. Action Taken: No Action Taken.
File F:\Muffins\SPXIRC.zip tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
-----------------------------

There was no "localhost" line even listed in the Hijack file. Here is the log from that:

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
------------------------------

And here is my current Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:36 PM, on 2/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Owner\LOCALS~1\Temp\kavss.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102294515357\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab (http://\"http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab\")
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--------------------------------

Everything seems to be running much more smoothly already, but I might as well get 100% clean. Thanks!

Jeff

The hosts file looks ok, but let's make sure

Download and UNZIP to a folder Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")

Open Spybot>>mode>>Advanced>>OK the prompt
Tools>>Hosts file
Remove S&D host file if being used
Close out

Open Hoster>>>you may have use the top right button to make the Hosts file Writeable
Then Click the Restore Original hosts button

Afterwards you can go back into Spybot and add S&D Hosts file if you like

Next find and delete the bad guys found by eScan

C:\WINDOWS\System32\adktsfxc.exe
C:\WINDOWS\System32\sqdrq.dll
C:\Bit Torrent [censored]\VirtualDub 1.5.1.1a MPEG AC3.rar
C:\Bit Torrent [censored]\VirtualDub 1.5.4 P4 Optimized.rar
C:\counter.cab
C:\RECYCLER\NPROTECT\00186249.EXE
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe
C:\WINDOWS\SYSTEM32\adktsfxc.exe
C:\WINDOWS\SYSTEM32\Cache\em_d.exe <--Could you also let me know what other files you see in the Cache folder

Some bad guys still in your System Restore folders
Can you again Disable system restore>>Restart the computer>>Enable system restore

Post back one more hijackthis log afterwards

The files in the Cache folder are:

desktrf-fran-162813.exe
InstallAPS.exe

I was also unable to find the files

C:\RECYCLER\NPROTECT\00186249.EXE
C:\WINDOWS\Downloaded Program Files\SahHtml_.exe

They didnt seem to exist? Not really sure. Hijack is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 7:06:01 AM, on 2/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102294515357\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab (http://\"http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab\")
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks for your help!

Jeff

This one is in your Norton protected recycle bin
C:\RECYCLER\NPROTECT\00186249.EXE

Go to START>>RUN>>type in cmd
Hit OK
At the prompt type in these entries, excluding the = signs, see note

cd\WINDOWS\Downloaded Program Files (hit Enter)
dir=/a=/Q=*=>C:\dpflist.txt (hit Enter)
start=C:\dpflist.txt (hit Enter)

NOTE* DON'T enter the = signs when typing in those commands
Those are just there to let you know where the spaces are

Copy and Paste the log that appears and then Close out the command prompt

Here's that log:

Volume in drive C has no label.
Volume Serial Number is 688C-1C22

Directory of C:\WINDOWS\Downloaded Program Files

02/26/2005 09:32 PM <DIR> BUILTIN\Administrators .
02/26/2005 09:32 PM <DIR> BUILTIN\Administrators ..
06/12/2002 12:16 PM 112,312 ... ActiveData.dll
11/30/2004 01:59 PM 110,592 HOME\Friends asinst.dll
11/30/2004 02:00 PM 525 HOME\Friends asinst.inf
02/25/2004 03:48 PM 403 ... ATPartners.inf
07/13/2000 04:21 PM 86,488 ... bvinetio.dll
03/19/2001 06:14 PM 564 ... CabSA.inf
11/19/2003 08:32 PM <DIR> ... CONFLICT.1
12/05/2004 11:16 AM 65 BUILTIN\Administrators DESKTOP.INI
08/03/2004 03:45 PM 1,271 ... erma.inf
08/25/2003 06:12 PM 1,096 ... iuctl.inf
09/29/2004 12:21 PM 740 HOME\Friends jinstall-1_4_2_06.inf
03/15/2002 02:18 PM 348,160 ... kdu_v32r.dll
09/19/2003 04:58 PM 819 ... kdx.inf
01/20/2000 02:25 PM 1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
06/28/2004 03:10 PM 1,088 ... qdiagcc.inf
09/29/2002 10:35 AM 8,708,390 ... QuickTimeInstallCache.qdat
07/13/2000 04:21 PM 57,816 ... ratechk.dll
03/26/2004 08:12 AM 1,453 ... roing17.INF
03/19/2001 06:13 PM 102,800 ... rufsi.dll
06/27/2004 09:07 PM 32,768 HOME\Friends SahHtml_.exe
11/30/2004 03:36 PM 31,744 HOME\Friends SAHUninstall_.exe
10/10/2002 04:23 PM 132,552 ... StripSaver_108.EXE
12/08/2003 01:58 PM 3,759 HOME\Friends swflash.inf
05/17/2004 09:05 AM 156,792 ... SymAData.dll
04/30/2003 10:48 PM <DIR> ... temp
11/17/1999 04:41 PM 1,522 ... voxmsdec.inf
06/30/2003 10:41 PM 1,689 ... WMV9VCM.inf
08/03/2004 02:51 PM 293 HOME\Friends wuweb.inf
03/24/2004 06:17 PM 1,777 HOME\Friends xscan.inf
03/24/2004 06:22 PM 435,712 HOME\Friends xscan53.ocx
10/08/2002 12:39 PM 262,144 ... ywcvwr.dll
10/22/2003 07:35 PM 240 ... zscrjdjl.inf
30 File(s) 10,596,736 bytes
4 Dir(s) 31,721,365,504 bytes free
------------------

Hope that was right. Thanks!

Jeff

Go back to a Command prompt
START>>RUN>>Type in cmd

At the prompt type in the following, again no = signs, they reflect spaces

cd\WINDOWS\Downloaded Program Files (hit Enter)
del=SahHtml_.exe (hit Enter)
del=SAHUninstall_.exe (hit Enter)

Exit out

I've upload a Zip file called Clean.zip, can you save it and UNZIP it to your desktop please.
Now you will
Clean.reg and NoPal.reg on the desktop

Double click on each and let them merge to the registry

Restart your computer and post back one last hijackthis log

Here is Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 12:09:16 AM, on 3/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102294515357\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab (http://\"http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab\")
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
----------------

Now are there any Windows updates you suggest I download to help my situation? Thanks!

Jeff

EDIT>>One note before proceeding with the below
Can you see if you have Notepad.exe
in the C:\WINDOWS\SYSTEM32 folder
and the C:\WINDOWS folder
If you do can you right click on them and left click properties and let me know the file size of both and date created
There probably legit, I just want to make sure that there alright

Of course, if you have a legit version of Windows it may be time to jump to Service Pack 2

I would do an online virus scan at Panda's and Housecall's
Restart if anything cleaned out
And clear your System Restore Points one more time

Make sure that if you have Ad-Aware installed you update and check for spyware

Clean those temp files again on startup
Temporarily Disable any Security software such as Trojan Guard before visiting so it won't interfere with the installation
Create a Fresh Restore point

Read this
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx\")

Sorry about the late reply, been working a lot this week. The notepad.exe from the C:\Windows folder was created August 23, 2001 and is about 65kb. There didnt seem to be a notepad.exe in the System32 folder. Both Panda and Housecall found some problems, so I saved the logs. Pandas:

Incident Status Location

Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\System32\cd_clint.dll
Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\WINDOWS\FT*_GEPFAH.EXE
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\payload2.inf
Adware:Adware/CWS No disinfected C:\WINDOWS\system.sam
Adware:Adware/BHO No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/FavoriteMan No disinfected C:\WINDOWS\downloaded program files\ATPartners.inf
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\System32\InnerVBInstall.log
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\System32\DealHelper
Adware:Adware/Adroar No disinfected C:\WINDOWS\artmmp.ini
Spyware:Spyware/Altnet No disinfected Windows Registry
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\System32\eXactSetup.dll
Adware:Adware/Beginto No disinfected C:\WINDOWS\System32\b2s_cache
Adware:Adware/E2Give No disinfected Windows Registry
Adware:Adware/MultiMPP No disinfected C:\Program Files\Hijack This\backups\backup-20050227-183851-827.dll
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00186249.EXE
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\btgrab.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\ceres.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\farmmext.inf
Adware:Adware/CWS No disinfected C:\WINDOWS\system.sam
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20041130-070242.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20041201-000713.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20041201-000727.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20050217-211348.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20050217-211442.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20050220-161453.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20050221-172917.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20050228-010232.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20050228-010233.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20050228-010234.backup
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bak
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\LASS~1.EXE
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\SYSTEM32\netpals.dll
Spyware:Spyware/LinkReplacer No disinfected C:\WINDOWS\SYSTEM32\uninst.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
----------------------

And HouseCall:

Trend Micro Housecall Virus Scan0 virus cleaned, 2 viruses deleted

Results:
We have detected 2 infected file(s) with 2 virus(es) on your
computer: 0 virus(es) cleaned, 0 virus(es) uncleanable, 2
virus(es) deleted, 0 virus(es) undeletable, 0 virus(es)
passed.
Detected FileAssociated Virus NameAction taken
C:\System Volume
Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000014.exeTROJ_STARTPAG.EODelete
successful
C:\System Volume
Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000017.exeTROJ_AGENT.AABDelete
successful

Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer: 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable, 0 worm(s)/Trojan(s) passed.
Trojan/Worm NameTrojan/Worm TypeAction taken

Spyware Check13 spyware programs removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 22 spyware(s) on your computer: 13 spyware(s)
removed, 0 spyware(s) unremovable, 6 spyware(s) passed.
Spyware NameSpyware TypeAction taken
ADW_MIWAY.AAdwareRemoval successful
ADW_SECTHOUGHT.AAdwareRemoval successful
COOKIE_255CookiePass
COOKIE_281CookiePass
COOKIE_346CookiePass
COOKIE_442CookiePass
COOKIE_1701CookiePass
SPYW_PPNETWORK.ASpywareRemoval successful
ADW_DESKMEDIA.AAdwareRemoval successful
ADW_ELITEBAR.EAdwareRemoval successful
ADW_BADBITOR.AAdwareRemoval successful
ADW_SAHAGENT.AAdwareRemoval successful
SPYW_PPNETWORK.BSpywareUnknown
ADW_TARGETSOFT.AAdwareRemoval successful
COOKIE_3218CookiePass
SPYW_WEBSEARCH.ASpywareRemoval successful
ADW_APROPOS.51AdwareRemoval successful
ADW_SURFKICKAdwareUnknown
ADW_DIA.AAdwareRemoval successful
SPYW_SOFTOMATE.ASpywareRemoval successful
ADW_HYPLINKER.AAdwareRemoval successful
ADW_DEALHELP.AAdwareUnknown

Microsoft Vulnerability Check42 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 42 vulnerability/vulnerabilities on your
computer.
Risk LevelIssueHow to Fix
CriticalThis vulnerability enables a remote
attacker to execute arbitrary code by creating an
.MP3 or .WMA file that contains a corrupt custom
attribute. This is caused by a buffer overflow in
the Windows Shell function in Microsoft Windows
XP. MS02-072
Highly CriticalThis vulnerability enables local
users to execute arbitrary code through an RPC
call. This is caused by a buffer overflow in the
RPC Locator service for Windows NT 4.0, Windows NT
4.0 Terminal Server Edition, Windows 2000, and
Windows XP. MS03-001
Highly CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
WebDAV request to IIS 5.0. This is caused by a
buffer overflow in NTDLL.DLL on Windows NT 4.0,
Windows NT 4.0 Terminal Server Edition, Windows
2000, and Windows XP. MS03-007
Highly CriticalThis vulnerability enables a remote
attacker to execute any file that can be rendered
as text, and be opened as part of a page in
Internet Explorer. MS03-014
CriticalThis vulnerability enables a remote
attacker to cause a denial of service and execute
arbitrary code through a specially formed web page
or HTML e-mail. This is caused by a flaw in the
way the HTML converter for Microsoft Windows
handles a conversion request during a
cut-and-paste operation. MS03-023
Highly CriticalThis vulnerability enables a remote
attacker to execute arbitrary code through a
malformed message. This is caused by a buffer
overflow in certain DCOM interface for RPC in
Microsoft Windows NT 4.0, 2000, XP, and Server
2003. MS03-026
CriticalThis vulnerability could allow a remote
attacker to execute arbitrary code via a malformed
RPC request with a long filename parameter. This
is caused by a heap-based buffer overflow found in
the Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack, which could allow local attackers
to gain privileges via certain messages sent to
the __RemoteGetClassObject interface.;This
vulnerability could allow a remote attacker to
execute arbitrary code via a malformed activation
request packet with modified length fields. This
is caused by a heap-based buffer overflow in the
Distributed Component Object Model (DCOM)
interface in the RPCSS Service.;This vulnerability
could allow a remote attacker to cause a denial of
service attack. This is caused by two threads
processing the same RPC request, which will lead
to its using memory after it has been freed.;This
vulnerability could allow a remote attacker to
cause a denial of service attack via a queue
registration request. This is caused by a buffer
overflow in the Microsoft Message Queue Manager.
MS03-039
Highly CriticalThese vulnerabilities, which are
due to Internet Explorer not properly determining
an object type returned from a Web server in a
popup window or during XML data binding,
respectively, could allow an attacker to run
arbitrary code on a user's system. MS03-040
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code without user
approval. This is caused by the authenticode
capability in Microsoft Windows NT through Server
2003 not prompting the user to download and
install ActiveX controls when system is low on
memory. MS03-041
CriticalThis vulnerability allows a remote
attacker to execute arbitrary code on the affected
system. This is caused of a buffer overflow in the
Messenger Service for Windows NT through Server
2003. MS03-043
ImportantThis vulnerability is due to a buffer
overrun in the ListBox and ComboBox controls found
in User32.dll. Any program that implements the
ListBox control or the ComboBox control could
allow arbitrary code to be executed at the same
privilege level. This vulnerability cannot be
exploited remotely. MS03-045
CriticalThis vulnerability could allow an attacker
to access information from other Web sites, access
files on a user's system, and run arbitrary code
on a user's system, wherein this is executed under
the security context of the currently logged on
user.;This vulnerability could allow an attacker
to save a file on the users system. This is due to
dynamic HTML events related to the drag-and-drop
of Internet Explorer.;This vulnerability, which is
due to the incorrect parsing of URLs which contain
special characters, could allow an attacker to
trick a user by presenting one URL in the address
bar, wherein it actually contains the content of
another web site of the attackers choice.
MS04-004
Highly CriticalThe LSASS vulnerability is a buffer
overrun vulnerability allows remote code
execution.;The LDAP vulnerability is a denial of
service (DoS) vulnerability that causes the
service in a Windows 2000 domain controller
responsible for authenticating users in an Active
Directory domain to stop responding.;The PCT
vulnerability is a buffer overrun vulnerability in
the Private Communications Transport (PCT)
protocol, a part of the SSL library, that allows
remote code execution.;The Winlogon vulnerability
is a buffer overrun vulnerability in the Windows
logon process (winlogon) that allows remote code
execution.;The Metafile vulnerability is a buffer
overrun vulnerability that exists in the rendering
of Windows Metafile (WMF) and Enhanced Metafile
(EMF) image formats.;The Help and Support Center
vulnerability allows remote code execution and is
due to the way Help and Support Center handles HCP
URL validation.;The Utility Manager vulnerability
is a privilege elevation vulnerability that exists
due to the way that Utility Manager launches
applications.;The Windows Management vulnerability
is a privilege elevation vulnerability that when
successfully exploited allows a local attacker to
take complete control of a system by executing
commands at the system privilege level.;The Local
Descriptor Table vulnerability is a privilege
elevation vulnerability that when successfully
exploited allows a local attacker to take complete
control of a system by executing commands at with
system privileges.;The H.323 vulnerability is a
buffer overrun vulnerability that when
successfully exploited can allows attackers to
gain full control of a system by arbitrarily
executing commands with system privileges.;Virtual
DOS Machine vulnerability is a privilege elevation
vulnerability that when successfully exploited
allows a local attacker to gain full control of a
system by executing commands with system
privileges.;The Negotiate SSP vulnerability is a
buffer overrun vulnerability that exists in
Microsoft's Negotiate Security Service Provider
(SSP) interface and allows remote code
execution.;The SSL vulnerability exists due to the
way SSL packets are handled and can causes the
affected systems to stop responding to SSL
connection requests.;The ASN.1 'Double-Free'
vulnerability exists in Microsoft's Abstract
Syntax Notation One (ASN.1) Library and allows
remote code execution at the system privilege
level. MS04-011
CriticalThe RPC Runtime Library vulnerability is a
remote code execution vulnerability that results
from a race condition when the RPC Runtime Library
processes specially crafted messages. An attacker
who successfully exploits this vulnerability could
take complete control of an affected system.;The
RPCSS Service denial of service (DoS)
vulnerability allows a malicious user or malware
to send specially-crafted messages to a vulnerable
system, which causes the RPCSS Service to stop
responding.;The RPC Over HTTP vulnerability may be
used to launch a denial of service (DoS) attack
against a system with CIS or RPC over HTTP Proxy
enabled.;When successfully exploited, the Object
Identity vulnerability allows an attacker to force
currently running applications to open network
communication ports, thereby opening a system to
remote attacks. MS04-012
CriticalThe MHTML URL Processing Vulnerability
allows remote attackers to bypass domain
restrictions and execute arbitrary code via script
in a compiled help (CHM) file that references the
InfoTech Storage (ITS) protocol handlers.This
could allow an attacker to take complete control
of an affected system. MS04-013
CriticalThis vulnerability exists in the Help and
Support Center (HCP) and is due to the way it
handles HCP URL validation. This vulnerability
could allow an attacker to remotely execute
arbitrary code with Local System privileges.
MS04-015
ModerateA denial of service (DoS) vulnerability
exists in Outlook Express that could cause the
said program to fail. The malformed email should
be removed before restarting Outlook Express in
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked
buffer within the Task Scheduler component. When
exploited, it allows the attacker to execute
arbitrary code on the affected machine with the
same privileges as the currently logged on user.
MS04-022
CriticalAn attacker who successfully exploits this
vulnerability could gain the same privileges as
that of the currently logged on user. If the user
is logged in with administrative privileges, the
attacker could take complete control of the
system. User accounts with fewer privileges are at
less risk than users with administrative
privileges. MS04-023
CriticalThe Navigation Method Cross-Domain
Vulnerability is a remote execution vulnerability
that exists in Internet Explorer because of the
way that it handles navigation methods. An
attacker could exploit this vulnerability by
constructing a malicious Web page that could
potentially allow remote code execution if a user
visits a malicious Web site.;The Malformed BMP
File Buffer Overrun Vulnerability exists in the
processing of BMP image file formats that could
allow remote code execution on an affected
system.;The Malformed GIF File Double Free
Vulnerability is a buffer overrun vulnerability
that exists in the processing of GIF image file
formats that could allow remote code execution on
an affected system. MS04-025
CriticalThis vulnerability lies in the way the
affected components process JPEG image files. An
unchecked buffer within this process is the cause
of the vulnerability.;This remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. The malicious user
or malware can execute arbitrary code on the
system giving them the ability to install or run
programs and view or edit data with full
privileges. Thus, this vulnerability can
conceivably be used by a malware for replication
purposes. MS04-028
ImportantAn unchecked buffer exists in the NetDDE
services that could allow remote code execution.
An attacker who is able to successfully exploit
this vulnerability is capable of gaining complete
control over an affected system. However, the
NetDDe services are not automatically executed,
and so would then have to be manually started for
an attacker to exploit this vulnerability. This
vulnerability also allows attackers to perform a
local elevation of privilege, or a remote denial
of service (DoS) attack. MS04-031
CriticalThis cumulative release from Microsoft
covers four newly discovered vulnerabilities:
Windows Management Vulnerability, Virtual DOS
Machine Vulnerability, Graphics Rendering Engine
Vulnerability, and Windows Kernel Vulnerability.
MS04-032
CriticalThis is another privately reported
vulnerability about Windows Compressed Folders.
There is vulnerability on the way that Windows
processes Compressed (Zipped) Folders that could
lead to remote code execution. Windows can not
properly handle the extraction of the ZIP folder
with a very long file name. Opening a specially
crafted compressed file, a stack-based overflow
occurs, enabling the remote user to execute
arbitrary code. MS04-034
CriticalThis security bulletin focuses on the
following vulnerabilities: Shell Vulnerability
(CAN-2004-0214), and Program Group Converter
Vulnerability (CAN-2004-0572). Shell vulnerability
exists on the way Windows Shell launches
applications that could enable remote malicious
user or malware to execute arbitrary code. Windows
Shell function does not properly check the length
of the message before copying to the allocated
buffer. Program Group Converter is an application
used to convert Program Manager Group files that
were produced in Windows 3.1, Windows 3.11,
Windows for Workgroups 3.1, and Windows for
Workgroups 3.11 so that they can still be used by
later operating systems. The vulnerability lies in
an unchecked buffer within the Group Converter
Utility. MS04-037
CriticalThis is a remote code execution
vulnerability that exists in the Internet
Explorer. It allows remote code execution on an
affected system. An attacker could exploit this
vulnerability by constructing a malicious Web
Page. The said routine could allow remote code
execution if a user visited a malicious Web site.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system. However, significant user
interaction is required to exploit this
vulnerability. MS04-038
CriticalThis security update addresses and
resolves a vulnerability in Internet Explorer that
could allow remote code execution. A Web page can
be crafted to exploit this vulnerability such that
an arbitrary application can be executed on
visiting systems with the same priviledge as the
currently logged on user. MS04-040
ImportantThis security advisory explains the two
discovered vulnerabilities in Microsoft Word for
Windows 6.0 Converter, which is used by WordPad in
converting Word 6.0 to WordPad file format. Once
exploited, this remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. MS04-041
CriticalA remote code execution vulnerability
exists in HyperTerminal because of a buffer
overrun. If a user is logged on with administrator
privileges, an attacker could exploit the
vulnerability by constructing a malicious
HyperTerminal session file that could potentially
allow remote code execution and then persuade a
user to open this file. This malicious file may
enable the attacker to gain complete control of
the affected system. This vulnerability could also
be exploited through a malicious Telnet URL if
HyperTerminal had been set as the default Telnet
client. MS04-043
ImportantThis security update addresses and
resolves two windows vulnerabilites, both of which
may enable the current user to take control of the
affected system. Both of these vulnerabilites
require that the curernt user be able to log on
locally and execute programs. They cannot be
exploited remotely, or by anonymous users. A
privilege elevation vulnerability exists in the
way that the Windows Kernel launches applications.
This vulnerability could allow the current user to
take complete control of the system. A privilege
elevation vulnerability exists in the way that the
LSASS validates identity tokens. This
vulnerability could allow the current user to take
complete control of the affected system. MS04-044
CriticalThis update resolves a newly-discovered,
publicly reported vulnerability. A vulnerability
exists in the HTML Help ActiveX control in Windows
that could allow information disclosure or remote
code execution on an affected system. MS05-001
CriticalThis update resolves several
newly-discovered, privately reported and public
vulnerabilities. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system,
install programs, view, change, or delete data, or
create new accounts that have full privileges.
MS05-002
ImportantThis update resolves a newly-discovered,
privately reported vulnerability. An attacker who
successfully exploited this vulnerability could
take complete control of an affected system. An
attacker could then install programs, view,
change, or delete data, or create new accounts
with full privileges. While remote code execution
is possible, an attack would most likely result in
a denial of service condition. MS05-003
ImportantA vulnerability in ASP.NET allows an
attacker to bypass the security of an ASP.NET Web
site, and access a machine. The attacker gains
unauthorized access to some areas of the said Web
site, and is able to control it accordingly. The
actions that the attacker could take would depend
on the specific content being protected. MS05-004
ImportantThis is an information disclosure
vulnerability. An attacker who successfully
exploits this vulnerability could remotely read
the user names for users who have an open
connection to an available shared resource.
MS05-007
ImportantThis remote code execution vulnerability
exists in the way Windows handles drag-and-drop
events. An attacker could exploit the
vulnerability by constructing a malicious Web page
that could potentially allow an attacker to save a
file on the users system if a user visited a
malicious Web site or viewed a malicious e-mail
message. MS05-008
CriticalThis remote code execution vulnerability
exists in the processing of PNG image formats. An
attacker who successfully exploits this
vulnerability could take complete control of an
affected system. MS05-009
CriticalThis remote code execution vulnerability
exists in Server Message Block (SMB). It allows an
attacker who successfully exploits this
vulnerability to take complete control of the
affected system. MS05-011
CriticalThis privilege elevation vulnerability
exists in the way that the affected operating
systems and programs access memory when they
process COM structured storage files. This
vulnerability could grant a currently logged-on
user to take complete control of the system.;This
remote code execution vulnerability exists in OLE
because of the way that it handles input
validation. An attacker could exploit the
vulnerability by constructing a malicious document
that could potentially allow remote code
execution. MS05-012
CriticalThis vulnerability exists in the DHTML
Editing Component ActiveX Control. This
vulnerability could allow information disclosure
or remote code execution on an affected system.
MS05-013
CriticalThis update resolves known vulnerabilities
affecting Internet Explorer. An attacker who
successfully exploits these vulnerabilities could
take complete control of an affected system. An
attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. MS05-014
CriticalA remote code execution vulnerability
exists in the Hyperlink Object Library. This
problem exists because of an unchecked buffer
while handling hyperlinks. An attacker could
exploit the vulnerability by constructing a
malicious hyperlink which could potentially lead
to remote code execution if a user clicks a
malicious link within a Web site or e-mail
message. MS05-015
-------------------------

Dont know if this is of any use but I figured better safe then sorry. If everything seems to be ok I will run AdAware and Spybot. In your opinion do you think I should update to SP2? Thanks!

Jeff

Obviously, delete any files found bad by Pandas or Trend Micros
Let me know what it didnt clean and you couldn't delete manually

Finally, clear your System Restore Points by disabling system restore
Restarting your computer and then enabling system restore

Let me know how you make out

TheTechGuide Forum

General Category => Tech Clinic => Topic started by: SahDu on February 22, 2005, 06:18:49 PM