TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Nyfe on July 12, 2005, 03:47:32 PM

Title: Help!
Post by: Nyfe on July 12, 2005, 03:47:32 PM
Hi - My computer has been completely messed up for a very long time and my friend just recently recommended this site to me.  So I thought I would give it a try.  Any help you offer will be greatly appreciated.  Here's my HJT log:



Logfile of HijackThis v1.99.1
Scan saved at 3:43:49 PM, on 7/12/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\qqnnif.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\soundcontrl.exe
C:\DOCUME~1\Joe\LOCALS~1\Temp\Loader.EXE
C:\windows\Altnet.exe
C:\windows\180Solutions.exe
C:\windows\180Sol.exe
C:\WINDOWS\System32\xte.exe
C:\Program Files\pmeh\laec.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\ClearSearch\17444812.exe
C:\DOCUME~1\Joe\LOCALS~1\Temp\sysnet.exe
C:\WINDOWS\ajnjdll.exe
C:\WINDOWS\ajnjenc.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/ (http://\"http://www.kazaa-lite.ws/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show= (http://\"http://www.kazaa-lite.ws/results.php?show=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/ (http://\"http://www.kazaa-lite.ws/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-4582-B386-DEFD5B89DF4E} - C:\Program Files\ClearSearch\ClearSearch.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\System32\trgen.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
O2 - BHO: (no name) - {6EA33A24-BF10-55CF-DE01-11557CAF2315} - C:\WINDOWS\System32\xcptpeh.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: (no name) - {B3F5ED94-7075-7FD8-5DC3-70C278E62FB3} - C:\WINDOWS\System32\noziz.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [jpegc] C:\WINDOWS\system32\NtmsData\jpegc.exe
O4 - HKLM\..\Run: [Dimension] C:\Program Files\Dimension\Dimension.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Joe\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [jazgha] c:\windows\system32\qqnnif.exe r
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Joe\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [ajnjdll] C:\WINDOWS\ajnjdll.EXE
O4 - HKLM\..\Run: [ajnjenc] C:\WINDOWS\ajnjenc.EXE
O4 - HKLM\..\RunServices: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\RunServices: [Altnet] C:\windows\Altnet.exe
O4 - HKLM\..\RunServices: [180Solutions] C:\windows\180Solutions.exe
O4 - HKLM\..\RunServices: [180Sol] C:\windows\180Sol.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Joe\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Altnet] C:\windows\Altnet.exe
O4 - HKCU\..\Run: [180Solutions] C:\windows\180Solutions.exe
O4 - HKCU\..\Run: [180Sol] C:\windows\180Sol.exe
O4 - HKCU\..\Run: [Cojdgh] C:\WINDOWS\System32\xte.exe
O4 - HKCU\..\Run: [Vxdzxpl] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [Neta] C:\Program Files\pmeh\laec.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (http://\"http://messenger.ipfox.com\") (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (http://\"http://messenger.ipfox.com\") (file missing)
O16 - DPF: IEToolbarCab - http://www.animetoolbar.com/DailyToolbar.CAB (http://\"http://www.animetoolbar.com/DailyToolbar.CAB\")
O16 - DPF: {07E9CDF4-20D2-46B1-B681-663968F527CE} (iiittt Class) - http://www.begin2search.com/toolbar/winb2s32.cab (http://\"http://www.begin2search.com/toolbar/winb2s32.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab (http://\"http://imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab\")
O16 - DPF: {918753F1-34D2-46EE-9D53-2722D1FE4BCC} (MyCorkboard Class) - http://www.mycorkboard.com/CabFiles/WebsiteHelper.cab (http://\"http://www.mycorkboard.com/CabFiles/WebsiteHelper.cab\")
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab (http://\"http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\ajnjsvc.exe
Title: Help!
Post by: guestolo on July 12, 2005, 11:17:38 PM
Wow, you have some cleaning to do

Can you do the following please

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

Download and Install the free version of Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
From the direct link above or click HERE (http://\"http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5\")
Ensure you have the latest version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
When installing, Ad-Aware should check for updates
Allow it, but don't run a scan yet

Instead
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
 or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Again, don't run a scan yet

Now that you have some tools for initia cleanup, let's start getting your rig clean

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode, please do the following
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart your computer to finish the cleaning process
Please Restart back to Safe mode

Back in Windows

Open Spybot
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

Restart back to Normal mode

Back in Windows, your system is far behind on Windows Updates
Please visit the following link and for now Download and install Service Pack 1a
Don't install Service pack 2 yet, we should clean your system beforehand
Just select your language and hit Go
save the Installer to desktop
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/expresso.mspx\")
Reboot after installation and prompted

Run another scan with Hijackthis and post a fresh log
Title: Help!
Post by: Nyfe on July 13, 2005, 01:53:36 PM
Ok!  /laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />  thanks a bunch it fixed 1 problem but obvioulsy still more are in this blasted computer. well heres the log u requested and thanks alot for the help you have been giving me.

Logfile of HijackThis v1.99.1
Scan saved at 1:50:54 PM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\iaswdb.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\soundcontrl.exe
C:\WINDOWS\ajnjdll.EXE
C:\WINDOWS\ajnjenc.EXE
C:\windows\Altnet.exe
C:\windows\180Solutions.exe
C:\windows\180Sol.exe
C:\WINDOWS\System32\l?ass.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\pmeh\laec.exe
C:\windows\431xg82q.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\ajnjsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-4BDA-9636-0B206F14166A} - C:\Program Files\ClearSearch\ClearSearch.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O2 - BHO: (no name) - {B3F5ED94-7075-7FD8-5DC3-70C278E62FB3} - C:\WINDOWS\System32\noziz.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [jpegc] C:\WINDOWS\system32\NtmsData\jpegc.exe
O4 - HKLM\..\Run: [Dimension] C:\Program Files\Dimension\Dimension.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Joe\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Joe\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [ajnjdll] C:\WINDOWS\ajnjdll.EXE
O4 - HKLM\..\Run: [ajnjenc] C:\WINDOWS\ajnjenc.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ptnwxh] c:\windows\system32\iaswdb.exe r
O4 - HKLM\..\RunServices: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\RunServices: [Altnet] C:\windows\Altnet.exe
O4 - HKLM\..\RunServices: [180Solutions] C:\windows\180Solutions.exe
O4 - HKLM\..\RunServices: [180Sol] C:\windows\180Sol.exe
O4 - HKLM\..\RunServices: [431xg82q] C:\windows\431xg82q.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Altnet] C:\windows\Altnet.exe
O4 - HKCU\..\Run: [180Solutions] C:\windows\180Solutions.exe
O4 - HKCU\..\Run: [180Sol] C:\windows\180Sol.exe
O4 - HKCU\..\Run: [Vxdzxpl] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Neta] C:\Program Files\pmeh\laec.exe
O4 - HKCU\..\Run: [431xg82q] C:\windows\431xg82q.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {07E9CDF4-20D2-46B1-B681-663968F527CE} - http://www.begin2search.com/toolbar/winb2s32.cab (http://\"http://www.begin2search.com/toolbar/winb2s32.cab\")
O16 - DPF: {918753F1-34D2-46EE-9D53-2722D1FE4BCC} (MyCorkboard Class) - http://www.mycorkboard.com/CabFiles/WebsiteHelper.cab (http://\"http://www.mycorkboard.com/CabFiles/WebsiteHelper.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\ajnjsvc.exe
Title: Help!
Post by: guestolo on July 13, 2005, 08:44:07 PM
Let's continue cleaning this machine
A couple more times and you should be looking good

I need you too download a couple more tools please

Download and Unzip   The Hoster (http://\"http://www.funkytoad.com/download/hoster.zip\")  to a folder
Open Hoster and
Press "Restore Original Hosts" and press "OK".
Then Exit

==Download and Save to desktop
FXGaobot.exe by Symantec's (http://\"http://securityresponse.symantec.com/avcenter/FxGaobot.exe\")
Don't run it yet

==Please download Nailfix.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=290\")
Unzip it to the desktop but please do NOT run it yet
Give the link time to load
EDIT>>Replaced the link to Nailfix, the first one may not be reliable

==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

==Please Print this out or save these instructions to a Notepad file and save it to your Desktop

==Access your Add/Remove programs and remove if found
Alnets
WebSearch Tools
180Solutions <-Please allow Internet connection if found
Ensure your uninstalling at the prompts

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode, please do the following
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for this service name
Windows VisFx Components

Open Hijackthis>>Open Misc tools Section>>Open "Delete an NT service"
Copy and paste, or type this into the blank box then hit OK
Windows VisFx Components

Don't restart if prompted, stay in safe mode

==Double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal

==Run FXGaobot.exe tool  by Symantec's, let it scan your drive and fix what it finds

Find and delete these files or folders if found
Look carefully, don't delete something because it looks similiar
FILES
C:\WINDOWS\ajnjdll.EXE <-file
C:\WINDOWS\ajnjenc.EXE
C:\WINDOWS\ajnjsvc.exe
C:\windows\431xg82q.exe
C:\windows\Altnet.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
C:\windows\180Solutions.exe
C:\windows\180Sol.exe
C:\WINDOWS\systb.dll
c:\windows\system32\iaswdb.exe
C:\WINDOWS\System32\noziz.dll
C:\WINDOWS\System32\richedtr.dll
C:\WINDOWS\System32\richup.exe
C:\WINDOWS\System32\soundcontrl.exe

FOLDERS
C:\Program Files\pmeh <-folder
C:\Program Files\ClearSearch

Afterwards,
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

When the scan has finished and report saved

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but check what you see from the below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-4BDA-9636-0B206F14166A} - C:\Program Files\ClearSearch\ClearSearch.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O2 - BHO: (no name) - {B3F5ED94-7075-7FD8-5DC3-70C278E62FB3} - C:\WINDOWS\System32\noziz.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\Run: [jpegc] C:\WINDOWS\system32\NtmsData\jpegc.exe

O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Joe\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Joe\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [ajnjdll] C:\WINDOWS\ajnjdll.EXE
O4 - HKLM\..\Run: [ajnjenc] C:\WINDOWS\ajnjenc.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ptnwxh] c:\windows\system32\iaswdb.exe r
O4 - HKLM\..\RunServices: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\RunServices: [Altnet] C:\windows\Altnet.exe
O4 - HKLM\..\RunServices: [180Solutions] C:\windows\180Solutions.exe
O4 - HKLM\..\RunServices: [180Sol] C:\windows\180Sol.exe
O4 - HKLM\..\RunServices: [431xg82q] C:\windows\431xg82q.exe

O4 - HKCU\..\Run: [Altnet] C:\windows\Altnet.exe
O4 - HKCU\..\Run: [180Solutions] C:\windows\180Solutions.exe
O4 - HKCU\..\Run: [180Sol] C:\windows\180Sol.exe
O4 - HKCU\..\Run: [Vxdzxpl] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Neta] C:\Program Files\pmeh\laec.exe
O4 - HKCU\..\Run: [431xg82q] C:\windows\431xg82q.exe

O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)

O16 - DPF: {07E9CDF4-20D2-46B1-B681-663968F527CE} - http://www.begin2search.com/toolbar/winb2s32.cab (http://\"http://www.begin2search.com/toolbar/winb2s32.cab\")
O16 - DPF: {918753F1-34D2-46EE-9D53-2722D1FE4BCC} (MyCorkboard Class) - http://www.mycorkboard.com/CabFiles/WebsiteHelper.cab (http://\"http://www.mycorkboard.com/CabFiles/WebsiteHelper.cab\")

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\ajnjsvc.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer back to Normal mode afterwards

Back in Windows, open Hoster again and click the Restore Original Hosts

Run an online Virus scan at Panda's, the link to it is below in my Signature
Use IE when running the scan
When Panda has finished, can you save it's report please

Post back all the following
Run another scan with Hijackthis and post a fresh log
Also, include the report from Ewido's and Panda's
Title: Help!
Post by: Nyfe on July 14, 2005, 10:09:18 PM
ok one problem  /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />  i dont see the file "system startup service" i jsut have system restore and system event notifier i dont know if i did something wrong but im following your dierections best i can my friend has been helping me but hes not here ATM so im trying this on my own and i did not see that file....
Title: Help!
Post by: guestolo on July 14, 2005, 10:19:51 PM
Just carry on with the instructions
Don't disable those 2 services
Do what you can, let me know what you couldn't accomplish when you post back the fresh hijackthis log and the Ewido Report  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Oh, and the report from Panda's
Title: Help!
Post by: Nyfe on July 14, 2005, 11:46:21 PM
alright i still cant thank u enuf for the time your putting into this project but im gonna have the friend that showed me this site come over and help me do it all cuz i dont want to mess up my computer anymore and have wasted your time so ill reply the olgs and stuff whenever he comes over thanks again  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: Help!
Post by: Nyfe on July 17, 2005, 09:09:55 PM
sorry to sound stupid but at the point in yr instructions were it says to delete the files found in any folders and what not were am i supposed to look exactly? im sorry im just not very smart with computers.... /blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Title: Help!
Post by: guestolo on July 17, 2005, 09:22:36 PM
No problems, don't be sorry
After you have set Windows to show hidden files and folders
Do this
Open MyComputer
Double click on The C:\ drive to open the contents
Double click on the Windows folder to open the contents

In the Windows folder look for those files I asked you too delete
If you find any
Right click on it and select Delete
and send it to the recycle bin

When your done looking in the Windows folder
Double click on the System32 folder in the Windows folder to open it
Look for the files too delete in the System32 folder I asked you too remove

Then under the C:\ drive again open the Program Files folder
Look for these 2 folders and delete if found
pmeh & ClearSearch

Remember, don't delete something because it looks similiar

NOTE: I hope your using a different computer when posting back here
I want you to try as much as you can being offline and in Safe mode
Without interruption

Again, do what you can
Post back a fresh hijackthis log later and the other logs I asked for
Let me know what you couldn't accomplish after you post these logs back
Title: Help!
Post by: Guest on July 18, 2005, 01:08:26 AM
WOW  /ohmy.gif\' class=\'bbc_emoticon\' alt=\':o\' />  thats amazing how much that shortend! thank u again
b(-.^)d


<HJT LOG>
Logfile of HijackThis v1.99.1
Scan saved at 1:04:15 AM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dimension] C:\Program Files\Dimension\Dimension.exe
O4 - HKLM\..\Run: [fommdnt] c:\windows\system32\ngtdzx.exe r
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Ewido

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         11:33:40 PM, 7/17/2005
 + Report-Checksum:      48846544

 + Scan result:

   HKLM\SOFTWARE\AnimeToolbar -> Spyware.DailyToolbar : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\ClearSearch1 -> Spyware.ClearSearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{07E9CDF4-20D2-46B1-B681-663968F527CE} -> Spyware.Begin2Search : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\NIX Solutions -> Spyware.DailyToolbar : Cleaned with backup
   HKLM\SOFTWARE\NIX Solutions\AnimeToolbar -> Spyware.DailyToolbar : Cleaned with backup
   HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
   HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-2883609167-3294550756-3105547019-1006\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
   HKU\S-1-5-21-2883609167-3294550756-3105547019-1006\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
   HKU\S-1-5-21-2883609167-3294550756-3105547019-1006\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
   HKU\S-1-5-21-2883609167-3294550756-3105547019-1006\Software\NIX Solutions -> Spyware.DailyToolbar : Cleaned with backup
   HKU\S-1-5-21-2883609167-3294550756-3105547019-1006\Software\NIX Solutions\AnimeToolbar -> Spyware.DailyToolbar : Cleaned with backup
   HKU\S-1-5-21-2883609167-3294550756-3105547019-1006\Software\NIX Solutions\AnimeToolbar\Search -> Spyware.DailyToolbar : Cleaned with backup
   HKU\S-1-5-21-2883609167-3294550756-3105547019-1006\Software\NIX Solutions\AnimeToolbar\Search\MRU -> Spyware.DailyToolbar : Cleaned with backup
   C:\Documents and Settings\All Users\Documents\README.EXE -> Worm.Blaxe : Cleaned with backup
   C:\Program Files\Kazaa\My Shared Folder\kmd263_en.exe -> Worm.Blaxe : Cleaned with backup
   C:\Program Files\Kazaa\My Shared Folder\kmd264_en.exe -> Worm.Blaxe : Cleaned with backup
   C:\Program Files\MSN Messenger\riched20.dll -> Spyware.MyWebSearch : Cleaned with backup
   C:\Program Files\MyEmoticons\VVSN_MYEM0442Inst.exe -> Adware.SaveNow : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0010373.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0010383.exe -> Spyware.PurityScan : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0011373.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0011374.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0012372.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0012380.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0012385.exe -> Spyware.PurityScan : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0012391.dll -> Spyware.PurityScan : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0013372.dll -> TrojanDownloader.Apropo.w : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0013373.exe -> TrojanDownloader.Apropo.r : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0013376.dll -> Spyware.AproposMedia : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0013390.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0013393.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0013401.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP20\A0013402.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013414.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013424.exe -> Backdoor.Ruledor.g : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013426.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013433.exe -> Adware.SAHA : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013435.exe -> Adware.SAHA : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013437.dll -> Adware.SAHA : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013450.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013454.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013462.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013475.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013477.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013542.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013543.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013590.dll -> Spyware.Beginto : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013619.exe -> Spyware.WebRebates : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013620.exe -> Spyware.WebRebates : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013621.exe -> Spyware.WebRebates : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013627.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0013639.exe -> Spyware.AproposMedia : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0014237.DLL -> Spyware.Wesbar : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0014238.DLL -> Spyware.MyWebSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0014239.EXE -> Spyware.Wesbar : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0014240.DLL -> Spyware.MyWebSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0014245.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0014246.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0014247.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0014250.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014480.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014481.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014482.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014483.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014484.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014802.DLL -> Spyware.ClearSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014826.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014827.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014828.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014829.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014840.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014841.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014842.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0014843.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015837.exe -> Spyware.SafeSurfing : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015842.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015843.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015844.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015845.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015875.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015876.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015877.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015878.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015896.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015897.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015898.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015899.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0015907.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016068.exe -> Adware.SaveNow : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016070.exe -> Spyware.MDH : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016072.exe -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016073.dll -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016074.dll -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016075.exe -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016076.dll -> Spyware.Altnet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016078.DLL -> Spyware.ClearSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016081.exe -> Spyware.ClearSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016083.DLL -> Spyware.ClearSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016087.DLL -> Spyware.ClearSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016088.DLL -> Spyware.ClearSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016093.EXE -> Spyware.ClearSearch : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016094.exe -> Backdoor.Ruledor.b : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016097.dll -> Spyware.eUniverse : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016099.dll -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016100.dll -> Spyware.Beginto : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016101.exe -> Spyware.PurityScan : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016102.exe -> TrojanDownloader.PurityScan.j : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016103.exe -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016104.exe -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016105.dll -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016106.exe -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016107.exe -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016108.dll -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016109.exe -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016110.exe -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016111.dll -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016112.exe -> Spyware.Lop : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016113.exe -> Spyware.Lop : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016114.exe -> Spyware.Lop : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016115.exe -> TrojanDownloader.WinShow.r : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016116.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016118.exe -> Spyware.ConsCorr : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016120.exe -> Spyware.BiSpy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016122.dll -> Spyware.ImiBar : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016123.exe -> Trojan.Imiserv.c : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016124.dll -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016125.dll -> TrojanDownloader.Rameh.a : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016126.exe -> Backdoor.Ruledor.b : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016127.dll -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016128.exe -> Adware.eXact : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016129.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016131.dll -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016132.dll -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016133.dll -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016134.dll -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016135.exe -> Spyware.Beginto : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016138.dll -> Spyware.HotBar : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016139.exe -> TrojanDropper.Delf.z : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016140.dll -> Spyware.WinShow : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016141.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016142.exe -> TrojanDownloader.Intexp : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016143.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016151.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016153.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016154.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016156.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016167.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016168.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016169.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016170.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016171.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016172.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016173.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016174.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016175.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016176.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016177.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016178.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016179.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016180.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016181.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016182.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016183.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016184.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016185.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016186.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016187.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016188.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016189.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016190.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016191.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016192.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016193.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016194.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016195.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016196.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016197.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016198.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016199.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016200.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016201.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016202.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016203.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016204.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016205.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016206.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016207.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016208.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016209.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016210.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016211.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016212.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016213.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016214.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016215.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016216.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016217.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016218.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016219.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016220.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016221.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016222.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016223.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016224.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016225.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016226.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016227.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016228.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016229.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016230.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016231.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016232.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016233.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016234.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016235.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016236.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016237.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016238.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016239.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016240.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016241.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016242.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016243.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016244.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016245.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016246.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016247.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016248.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016249.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016250.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016251.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016252.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016253.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016254.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016255.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016256.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016257.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016258.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016259.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016260.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016261.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016262.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016263.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016264.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016265.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016266.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016267.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016268.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016269.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016270.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016271.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016272.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016273.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016274.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016275.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016276.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016277.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016278.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016279.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016280.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016281.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016282.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016283.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016284.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016285.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016286.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016287.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016288.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016289.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016290.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016291.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016292.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016293.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016294.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016295.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016296.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016297.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016298.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016299.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016300.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016301.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016302.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016303.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016304.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016305.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016306.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016307.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016308.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016309.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016310.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016311.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016312.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016313.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016314.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016315.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016316.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016317.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016318.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016319.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016320.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016321.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016322.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016323.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016324.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016325.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016326.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016327.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016328.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016329.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016330.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016331.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016332.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016333.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016334.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016335.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016336.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016337.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016338.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016339.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016340.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016341.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016342.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016343.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016344.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016345.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016346.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016347.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016348.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016349.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016350.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016351.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016352.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016353.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016354.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016355.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016356.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016357.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016358.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016359.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016360.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016361.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016362.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016363.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016364.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016365.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016366.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016367.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016368.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016369.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016370.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016371.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016372.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016373.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016374.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016375.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016376.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016377.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016378.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016379.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016380.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016381.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016382.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016383.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016384.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016385.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016386.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP23\A0016387.exe -> Worm.Blaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83
Title: Help!
Post by: Guest on July 18, 2005, 01:10:13 AM
i dont think panda posted in the last one nor am i sure if the ewido has everything posted so here panda


Incident                      Status                        Location                                                                                                                                                                                                                                                        

Spyware:spyware/tvmedia       No disinfected                C:\DOCUMENTS AND SETTINGS\JOE\APPLICATION DATA\tvmknwrd.dll                                                                                                                                                                                                    
Spyware:spyware/whazit        No disinfected                C:\WINDOWS\SYSTEM32\fiz1                                                                                                                                                                                                                                        
Adware:adware/cws             No disinfected                C:\DOCUMENTS AND SETTINGS\JOE\FAVORITES\Online Casino.url                                                                                                                                                                                                      
Adware:adware/ipinsight       No disinfected                C:\WINDOWS\INF\conscorr.inf                                                                                                                                                                                                                                    
Adware:adware/aurora          No disinfected                C:\WINDOWS\Nail.exe                                                                                                                                                                                                                                            
Spyware:spyware/new.net       No disinfected                C:\WINDOWS\NDNuninstall4_88.exe                                                                                                                                                                                                                                
Adware:adware/twain-tech      No disinfected                C:\WINDOWS\smdat32m.sys                                                                                                                                                                                                                                        
Adware:adware/ieplugin        No disinfected                C:\WINDOWS\systb.dll                                                                                                                                                                                                                                            
Adware:adware/apropos         No disinfected                C:\PROGRAM FILES\Aprps                                                                                                                                                                                                                                          
Adware:adware/sidesearch      No disinfected                C:\PROGRAM FILES\Lycos                                                                                                                                                                                                                                          
Adware:adware/myway           No disinfected                C:\PROGRAM FILES\MyWay                                                                                                                                                                                                                                          
Adware:adware/beginto         No disinfected                C:\WINDOWS\SYSTEM32\cache32_rtneg2                                                                                                                                                                                                                              
Adware:adware/ncase           No disinfected                C:\WINDOWS\SYSTEM32\FLEOK                                                                                                                                                                                                                                      
Adware:adware/sahagent        No disinfected                C:\WINDOWS\SYSTEM32\SahImages                                                                                                                                                                                                                                  
Adware:adware/mediatickets    No disinfected                HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIATICKETSINSTALLER.OCX                                                                                                                          
Adware:adware/sidefind        No disinfected                HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER                                                                                                                                                                            
Spyware:spyware/betterinet    No disinfected                HKEY_CURRENT_USER\SOFTWARE\IN3RD                                                                                                                                                                                                                                
Spyware:spyware/clearsearch   No disinfected                HKEY_LOCAL_MACHINE\SOFTWARE\CLEARSEARCH                                                                                                                                                                                                                        
Adware:adware/mywebsearch     No disinfected                HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}                                                                                                                                                                                                  
Adware:adware/funweb          No disinfected                HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}                                                                                                                                                                                                  
Adware:adware/brilliantdigitalNo disinfected                HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}                                                                                                                                                                                              
Possible Virus.               No disinfected                C:\HJT\hijackthis\backups\backup-20050717-234424-935.dll                                                                                                                                                                                                        
Adware:Adware/ConsumerAlertSystemNo disinfected                C:\Program Files\CMAPP\Client\cmappmf.dll                                                                                                                                                                                                                      
Adware:Adware/Lop             No disinfected                C:\Program Files\htm comp user\DataRoam.exe                                                                                                                                                                                                                    
Adware:Adware/Lop             No disinfected                C:\Program Files\htm comp user\Does Mess Global.exe                                                                                                                                                                                                            
Adware:Adware/Lop             No disinfected                C:\Program Files\htm comp user\ealhvkdt.exe                                                                                                                                                                                                                    
Adware:Adware/Lop             No disinfected                C:\Program Files\htm comp user\guexwhap.exe                                                                                                                                                                                                                    
Adware:Adware/Lop             No disinfected                C:\Program Files\htm comp user\khwtsdeu.exe                                                                                                                                                                                                                    
Spyware:Spyware/BetterInet    No disinfected                C:\WINDOWS\INF\biini.inf                                                                                                                                                                                                                                        
Adware:Adware/IPInsight       No disinfected                C:\WINDOWS\INF\conscorr.inf                                                                                                                                                                                                                                    
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\Nail.exe                                                                                                                                                                                                                                            
Spyware:Spyware/New.net       No disinfected                C:\WINDOWS\NDNuninstall4_88.exe                                                                                                                                                                                                                                
Spyware:Spyware/New.net       No disinfected                C:\WINDOWS\NDNuninstall4_94.exe                                                                                                                                                                                                                                
Spyware:Spyware/New.net       No disinfected                C:\WINDOWS\NDNuninstall5_40.exe                                                                                                                                                                                                                                
Spyware:Spyware/New.net       No disinfected                C:\WINDOWS\NDNuninstall5_48.exe                                                                                                                                                                                                                                
Virus:Trj/Imiserv.D           Disinfected                   C:\WINDOWS\systb.dll                                                                                                                                                                                                                                            
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\aqadkgs.exe                                                                                                                                                                                                                                
Virus:W32/Sasser.ftp          Disinfected                   C:\WINDOWS\SYSTEM32\cmd.ftp                                                                                                                                                                                                                                    
Virus:Trj/Qhost.gen           Disinfected                   C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20050713-122924.backup                                                                                                                                                                                                    
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\glwnyc.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\gthufm.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\hkmmtr.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\icedup.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\idwoucc.exe                                                                                                                                                                                                                                
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\ihmjqc.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\impupkt.exe                                                                                                                                                                                                                                
Virus:Trj/Dropper.HR          Disinfected                   C:\WINDOWS\SYSTEM32\in2b3s.dlltmp                                                                                                                                                                                                                              
Spyware:Spyware/SafeSurf      No disinfected                C:\WINDOWS\SYSTEM32\InstallerV3.exe                                                                                                                                                                                                                            
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\jcpwjvq.exe                                                                                                                                                                                                                                
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\jgnpdvx.exe                                                                                                                                                                                                                                
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\kbnpshp.exe                                                                                                                                                                                                                                
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\kptiit.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\ldotek.exe                                                                                                                                                                                                                                  
Adware:Adware/PurityScan      No disinfected                C:\WINDOWS\SYSTEM32\l?ass.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\ouwuhz.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\ozzttf.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\qongqf.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\rzgyto.exe                                                                                                                                                                                                                                  
Adware:Adware/PurityScan      No disinfected                C:\WINDOWS\SYSTEM32\Shex.exe                                                                                                                                                                                                                                    
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\snsiqjh.exe                                                                                                                                                                                                                                
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\udgosp.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\uimifr.exe                                                                                                                                                                                                                                  
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\vcmzzg.exe                                                                                                                                                                                                                                  
Virus:Trj/Dropper.HQ          Disinfected                   C:\WINDOWS\SYSTEM32\w1ub.dll                                                                                                                                                                                                                                    
Adware:Adware/Transponder     No disinfected                C:\WINDOWS\SYSTEM32\zbsqfug.exe
Title: Help!
Post by: Guest on July 18, 2005, 02:11:56 PM
ok i have a question everytime i start my comp ewido comes up saying infected objects found and i must click OK like a hundred times before it stops is that normal?
Title: Help!
Post by: guestolo on July 18, 2005, 11:08:14 PM
Let's try some more cleaning please
Usually I ask that you disable sytem restore at the end, in your case I would like to see the whole report from Ewidos
So please do the following

Disable System restore, if your unsure how to please follow this link
Don't reenable it until I prompt you
Disable System Restore (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Download and UNZIP to your desktop Fix.zip
So you now have Fix.reg and Remove.bat extracted to your desktop
We'll need these later
[attachment=292:attachment]

Delete your version of Nailfix.zip and the Nailfix folder
Download and SAVE to desktop this version of
NailFix.exe (http://\"http://www.spywareedge.net/nf/nailfix.exe\")
we'll need this later

==Download the Killbox by Option^Explicit (http://\"http://www.downloads.subratam.org/KillBox.zip\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* UNZIP it to your desktop or a folder

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK

[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]
Save this Notepad file too desktop

Disconnect from the Internet, close all browser windows

Do another scan with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll (file missing)
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll

O4 - HKLM\..\Run: [fommdnt] c:\windows\system32\ngtdzx.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\DOCUMENTS AND SETTINGS\JOE\APPLICATION DATA\tvmknwrd.dll
C:\WINDOWS\SYSTEM32\fiz1
C:\DOCUMENTS AND SETTINGS\JOE\FAVORITES\Online Casino.url
C:\WINDOWS\INF\conscorr.inf
C:\WINDOWS\Nail.exe
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\systb.dll
C:\Program Files\CMAPP\Client\cmappmf.dll
C:\Program Files\htm comp user\DataRoam.exe
C:\Program Files\htm comp user\Does Mess Global.exe
C:\Program Files\htm comp user\ealhvkdt.exe
C:\Program Files\htm comp user\guexwhap.exe
C:\Program Files\htm comp user\khwtsdeu.exe
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\NDNuninstall5_48.exe
c:\windows\system32\ngtdzx.exe
C:\WINDOWS\SYSTEM32\aqadkgs.exe
C:\WINDOWS\SYSTEM32\glwnyc.exe
C:\WINDOWS\SYSTEM32\gthufm.exe
C:\WINDOWS\SYSTEM32\hkmmtr.exe
C:\WINDOWS\SYSTEM32\icedup.exe
C:\WINDOWS\SYSTEM32\idwoucc.exe
C:\WINDOWS\SYSTEM32\ihmjqc.exe
C:\WINDOWS\SYSTEM32\impupkt.exe
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\jcpwjvq.exe
C:\WINDOWS\SYSTEM32\jgnpdvx.exe
C:\WINDOWS\SYSTEM32\kbnpshp.exe
C:\WINDOWS\SYSTEM32\kptiit.exe
C:\WINDOWS\SYSTEM32\ldotek.exe
C:\WINDOWS\SYSTEM32\l?ass.exe
C:\WINDOWS\SYSTEM32\ouwuhz.exe
C:\WINDOWS\SYSTEM32\ozzttf.exe
C:\WINDOWS\SYSTEM32\qongqf.exe
C:\WINDOWS\SYSTEM32\rzgyto.exe
C:\WINDOWS\SYSTEM32\Shex.exe
C:\WINDOWS\SYSTEM32\snsiqjh.exe
C:\WINDOWS\SYSTEM32\udgosp.exe
C:\WINDOWS\SYSTEM32\uimifr.exe
C:\WINDOWS\SYSTEM32\vcmzzg.exe
C:\WINDOWS\SYSTEM32\w1ub.dll
C:\WINDOWS\SYSTEM32\zbsqfug.exe
===================================================
*  Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.  Click "No" at the Pending Operations prompt.
Don't worry about No file found messages or error messages

If your computer does not restart automatically, please restart it manually.  
Please Restart your computer into safe mode as the computer is rebooting

In safe mode
Double click on NailFix.exe to run it
Click NEXT and then FINISH
A window will flash quickly, this is normal

Double click on Remove.bat >>A window will open and close quickly, this is normal
Double click on fix.reg and allow to add or merge to the registry

Find and delete these folders if found
C:\PROGRAM FILES\Aprps
C:\PROGRAM FILES\Lycos
C:\PROGRAM FILES\MyWay
C:\WINDOWS\SYSTEM32\cache32_rtneg2
C:\WINDOWS\SYSTEM32\FLEOK
C:\WINDOWS\SYSTEM32\SahImages

Stay in safe Mode
Run Windows CleanUp! again
Don't restart or log off when it's done

Instead run Ewido again
Save the log afterwards

Restart back to Normal mode
Re-enable System Restore

Run another online scan at Pandas again
Save the report

post back a fresh hijackthis log
The fresh Ewido report and the fresh Panda report
Title: Help!
Post by: Guest on July 19, 2005, 02:21:40 PM
ok heres the logs you requested

<HJT>
Logfile of HijackThis v1.99.1
Scan saved at 2:19:45 PM, on 7/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dimension] C:\Program Files\Dimension\Dimension.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [djckvln] c:\windows\system32\mvvywmw.exe r
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

<EWIDO>
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         1:43:27 PM, 7/19/2005
 + Report-Checksum:      9FA4DF0D

 + Scan result:

   No infected objects found.


::Report End

<Panda>Incident                      Status                        Location                                                                                                                                                                                                                                                        

Spyware:spyware/whazit        No disinfected                C:\WINDOWS\SYSTEM32\kyf.dat                                                                                                                                                                                                                                    
Adware:adware/sidesearch      No disinfected                C:\DOCUMENTS AND SETTINGS\JOE\APPLICATION DATA\Lycos                                                                                                                                                                                                            
Adware:adware/beginto         No disinfected                C:\WINDOWS\SYSTEM32\cache32_rtneg2                                                                                                                                                                                                                              
Adware:adware/ncase           No disinfected                C:\WINDOWS\SYSTEM32\FLEOK                                                                                                                                                                                                                                      
Adware:adware/sahagent        No disinfected                C:\WINDOWS\SYSTEM32\SahImages                                                                                                                                                                                                                                  
Adware:adware/ieplugin        No disinfected                HKEY_CLASSES_ROOT\IMITOOLBAR.BOTTOMFRAME.1                                                                                                                                                                                                                      
Adware:adware/wupd            No disinfected                HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\WIN SERVER UPDT                                                                                                                                                                                
Spyware:spyware/shopnav       No disinfected                HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch                                                                                                                                                                                  
Adware:Adware/PurityScan      No disinfected                C:\HJT\hijackthis\backups\backup-20050717-234424-935.dll                                                                                                                                                                                                        
Adware:Adware/PurityScan      No disinfected                C:\WINDOWS\SYSTEM32\l?ass.exe                                                                                                                                                                                                                                   there you have it /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Title: Help!
Post by: guestolo on July 20, 2005, 09:16:55 PM
Can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
REGEDIT4

[-HKEY_CLASSES_ROOT\IMITOOLBAR.BOTTOMFRAME.1]

Double click on fix.reg and allow to add or Merge to the registry

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [djckvln] c:\windows\system32\mvvywmw.exe r

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer into SAFE MODE

In safe mode
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Find and delete these files or folders if found
Manually look for them, don't do a Search for them
C:\WINDOWS\SYSTEM32\kyf.dat <-file
C:\DOCUMENTS AND SETTINGS\JOE\APPLICATION DATA\Lycos <-folder
C:\WINDOWS\SYSTEM32\cache32_rtneg2 <-folder
C:\WINDOWS\SYSTEM32\FLEOK <-folder
C:\WINDOWS\SYSTEM32\SahImages <-folder

Restart back to Normal mode

You are not running any Anti-Virus software on your computer
If you don't have your own to install, please download the free version of AVG 7
from this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down to the following
"AVG Free Edition installation files
File   Version
avg70free_323a539.exe" <-click this link or similiar
Save the installer to desktop
Double click to Install
After installation ensure it's right up to date
Restart back to Safe mode
Run a full system scan with avg7
Afterwards, back in Normal mode

Run another scan with Hijackthis and post a fresh log

Could you also
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Name the file as export.bat
Save this file on the desktop

 
Code: [Select]
dir C:\WINDOWS\SYSTEM32\l?ass.exe /a h > files.txt
notepad files.txt

Double click on export.bat
A text file should open, can you copy and paste those findings back here please

NOTE: After you post all the above, can you refrain from restarting your computer again until I have a chance to see the updated hijackthis log and give you further instructions
Title: Help!
Post by: Nyfe on July 23, 2005, 04:47:24 PM
Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:38:02 PM, on 7/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dimension] C:\Program Files\Dimension\Dimension.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



For some reason, a message pops up saying that export.bat cannot be found when I double-click on it, even though it's right there on the desktop.
Title: Help!
Post by: guestolo on July 24, 2005, 12:15:32 PM
I've uploaded Export2.zip
Can you download it and UNZIP it to your desktop
Double click on Export2.bat and copy and paste back the contents of the text file that opens
Title: Help!
Post by: Nyfe on July 25, 2005, 03:53:21 PM
it wont let me open it i extracted the file to my desktop and when i double click it it says windows can not find yadda yadda yadda and make sure u typed in the name correctly and all that good stuff so I dont know  /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
Title: Help!
Post by: guestolo on July 25, 2005, 09:01:19 PM
I just want to check on something

Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
This could take some time as it will scan your drive
Once the Scan is Complete
   1. Reboot back to Normal mode
   2. Go to the WinPFind folder
   3. Locate WinPFind.txt in the WinPfind folder
Post the results of the WindPFind.txt
Title: Help!
Post by: Nyfe on July 27, 2005, 03:55:33 PM
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»  

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com  1/7/2005 10:53:50 PM   3278       C:\WINDOWS\abiuninst.htm
UPX!                 1/15/2003 11:57:24 PM  80384      C:\WINDOWS\cqdkobgcn.exe
buddy.exe            1/15/2003 11:57:24 PM  80384      C:\WINDOWS\cqdkobgcn.exe
UPX!                 9/12/2000 11:30:18 AM  104960     C:\WINDOWS\GizmoZone Screensaver.scr

Checking %System% folder...
PEC2                 8/18/2001 7:00:00 AM   41397      C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor             8/29/2002 5:41:10 AM   631808     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              8/18/2001 7:00:00 AM   1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX!                 7/23/2005 3:49:52 PM   668704     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG!                 7/23/2005 3:49:52 PM   668704     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack               7/23/2005 3:49:52 PM   668704     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
                     7/14/2005 9:40:12 PM   0          C:\WINDOWS\INF\oem57.inf
                     7/10/2005 2:23:48 PM   0          C:\WINDOWS\LastGood(2)\INF\oem59.inf
                     7/10/2005 2:23:48 PM   0          C:\WINDOWS\LastGood(2)\INF\oem59.PNF
                     7/27/2005 3:42:22 PM   8192       C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
                     7/27/2005 3:42:42 PM   1024       C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
                     7/27/2005 3:42:30 PM   16384      C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
                     7/27/2005 3:43:46 PM   77824      C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
                     7/27/2005 3:42:34 PM   782336     C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
                     7/20/2005 1:06:06 PM   67         C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\FG8RJTLM\desktop.ini
                     7/20/2005 1:06:06 PM   67         C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GH9AKLVE\desktop.ini
                     7/20/2005 1:06:06 PM   67         C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KX2R0T6R\desktop.ini
                     7/20/2005 1:06:06 PM   67         C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UA23DKIJ\desktop.ini
                     7/13/2005 1:32:48 PM   388        C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\432347d6-fcf8-4714-b1b6-c16516ca1f42
                     7/13/2005 1:32:48 PM   24         C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
                     7/13/2005 1:39:30 PM   13698      C:\WINDOWS\SYSTEM32\Restore\filelist.xml
                     7/27/2005 3:41:50 PM   6          C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»  

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     1/18/2004 7:24:08 PM   188        C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
                     1/26/2004 5:30:04 PM   12358      C:\Documents and Settings\Joe\Application Data\PFP110JCM.{PB
                     1/26/2004 5:30:04 PM   61678      C:\Documents and Settings\Joe\Application Data\PFP110JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»  

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
   {F8984111-38B6-11D5-8725-0050DA2761C4}    = C:\Program Files\IncrediMail\bin\IMShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   IgfxTray   C:\WINDOWS\System32\igfxtray.exe
   HotKeysCmds   C:\WINDOWS\System32\hkcmd.exe
   BCMSMMSG   BCMSMMSG.exe
   TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
   DwlClient   C:\Program Files\Common Files\Dell\EUSW\Support.exe
   Dimension   C:\Program Files\Dimension\Dimension.exe
   AVG7_CC   C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
   AVG7_EMC   C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   uoltray   C:\Program Files\NetZero\exec.exe regrun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
    = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption   
   legalnoticetext   
   shutdownwithoutlogon   1
   undockwithoutlogon   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
    = igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
   {7849596a-48ea-486e-8937-a2a3009f31a9}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
   {fbeb8a05-beee-4442-804e-409d6c4515e9}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
   {E6FB5E20-DE35-11CF-9C87-00AA005127ED}    = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
   {35CEC8A3-2BE6-11D2-8773-92E220524153}    = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\UPnPMonitor
   {e57ce738-33e8-4c51-8354-bb4de9d215d1}    = C:\WINDOWS\System32\upnpui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
   AppInit_DLLs   

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»  
WinPFind v1.2.4   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Title: Help!
Post by: guestolo on August 01, 2005, 11:00:37 PM
Sorry about the delay in responding
Can you do me a favor please
Run a new scan with Hijackthis and post the log
I just want to make sure it's still clean, then we'll do some final cleanup measures
Title: Help!
Post by: Nyfe on August 05, 2005, 10:02:19 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:01:45 PM, on 8/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinMX\WinMX.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dimension] C:\Program Files\Dimension\Dimension.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Title: Help!
Post by: guestolo on August 07, 2005, 12:47:51 PM
I'm glad to see your log still looks good
Are you still using NetZero?

Can you do the following for one final check

Can you manually navigate to your C:\Windows\System32 folder
Open it and look for this file name
l?ass.exe

Careful, there is a legit lsass.exe in the System32 folder I don't want you to delete
If you find the one with the question mark, can you delete it please
You may have to do this in safe mode

This bad file may even disguise as the legit lsass.exe
Can you let me know how many lsass.exe files you have, they will have different icons however
If the file isn't found

Carry on with these instructions for final cleanup

If everything is running better, please do the following
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

Now would be a good time to update to Service Pack 2
Please see these links
http://www.microsoft.com/windowsxp/sp2/topten.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/topten.mspx\")
http://www.microsoft.com/windowsxp/sp2/default.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/default.mspx\")
Title: Help!
Post by: Guest on August 22, 2005, 09:34:02 PM
ok 1 problem i was trying to recently Download hacks and stuff for my game and i got blasted with porn pop ups and that virus thing u gave me kept saying vrius detected so idk and i cant find that folder  /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

sorry its been so long since i last replied been gone alot
Title: Help!
Post by: guestolo on August 22, 2005, 09:57:37 PM
Well, I hope you did the last steps I posted
With the delays in responses we had together, You or myself may of missed something
I know I missed a couple files from your WPFind log

Let's start out fresh
Please start by posting a fresh Hijackthis log

Afterwards
Could you also do the following
Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save the list to desktop and copy and paste the contents back here
Title: Help!
Post by: Guest on August 30, 2005, 01:19:10 AM
ok im doing those steps at the moment but thers a notehr problem my sound doesnt work and im really getting ticked off everything is plugged in and the volume is up on everything i just dont know wut to do maybe u will
Title: Help!
Post by: Guest on August 30, 2005, 01:25:18 AM
ok here it is it looks kinda big so im gonna start chekcing this log everyday

Logfile of HijackThis v1.99.1
Scan saved at 1:19:44 AM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wivoqshxxhdbkvleg.com/7ZU3lRuNQSq5_...3f9pgOA/ZT.html (http://\"http://wivoqshxxhdbkvleg.com/7ZU3lRuNQSq5_t05ebBm3d0iLpTrVy/QO_a_PVxrKUaeRhGCjMZafX3f9pgOA/ZT.html\")
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\System32\navshext.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dimension] C:\Program Files\Dimension\Dimension.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [svchost] C:\Windows\svchost.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/Upwords.cab31267.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab (http://\"http://spaces.msn.com//PhotoUpload/MsnPUpld.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx (http://\"https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

and heres the misc tools

Ad-Aware SE Personal
AOL Instant Messenger
AVG Free Edition
BCM V.92 56K Modem
Block Checker 1.0
Broadcom Advanced Control Suite
CleanUp!
DAO
Dell ResourceCD
Diablo II
ewido security suite
HijackThis 1.99.1
hp deskjet 825c series (Remove only)
Intel® Extreme Graphics Driver
Macromedia Shockwave Player
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Data Access Components KB870669
Modem Helper
MSN Messenger 7.0
OIN
QuickTime
RealOne Player
RichEditor
Shockwave
Spybot - Search & Destroy 1.4
Sysnet
System Process
The ABI Network- A Division of Direct Revenue
Update for Windows XP (KB898461)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows VisFx Components
Windows XP Hotfix - KB842773
Windows XP Service Pack 1a
WinMX
Yahoo! Companion
Yahoo! Internet Mail


if theres anything useless lemme in the tools thinger lemme know ill get rid of them
Title: Help!
Post by: Guest on September 05, 2005, 02:16:53 AM
nvm i fixed my sound
Title: Help!
Post by: guestolo on September 05, 2005, 11:27:48 AM
Sorry Nyfe I missed your post
Can I see a fresh HIjackthis log, you did have malware in your last log

Why didn't you install SpywareBlaster and IE-Spyad?
No Windows updates either

Can you also
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as findjobs.bat
Save this file on the desktop

 
Code: [Select]
dir %Windir%\tasks /a h > files.txt
notepad files.txt

Double click on findjobs.bat
A text file will open, can you copy and paste the contents back here please